hello everyone. I have an alert requirement . an administort has login the device. I want to compare his current IP address with that of the last time or previous 7 days,If different, then alert. However, there are multiple administrator accounts, the fixed IP address used by each administrator may also be different. For example, `admin` often uses IP `2.2.2.2` to log in to the device, and `admin2` often uses IP `3.3.3.3` to log in to the device
On November 14, 2019 . These two administrators use a different IP login device than usual. I think this is an abnormal behavior, whether they login successfully or fail
_time account src_ip status
2019/11/14 14:30:00 admin2 4.4.4.4 Failed
2019/11/14 14:00:00 admin 1.1.1.1 success
2019/11/14 09:00:00 admin 2.2.2.2 success
2019/11/13 09:00:00 admin2 3.3.3.3 success
2019/11/13 08:00:00 admin 2.2.2.2 success
2019/11/12 11:00:00 admin 2.2.2.2 success
2019/11/11 10:00:00 admin 2.2.2.2 success
2019/11/10 00:00:00 admin 2.2.2.2 success
2019/11/09 09:00:00 admin2 3.3.3.3 Failed
2019/11/08 09:00:00 admin2 3.3.3.3 success
![alt text][1]
How should I write this spl and configure alert?
I want to check the login log every 5 minutes, and then compare the login IP with that of the previous 7 days OR last time
all the help will be appreciated
[1]: /storage/temp/275144-pic.png
↧