AD failed log on stream


(Jamesy) #1

Hey Gloggers,

I have selected windows event logs coming from our DCs and among them I am ingesting failed login ID 4625. I created a stream that extracts these events and sends an email callback. The condition I have applied is to trigger an alert x5 of these messages are caught in the stream within 1 minute. I have a backlog of 5 messages set and am extracting the relevant fields to add to the alert. This works fine with the exception that it is not reflecting when a single user had 5 failed login attempts. For example if 5 individual users had 1 failed login attempt the alert would be triggered.

Is there a way that I can be more specific and only fire when a single user is detected with 5 failed log in attempts?

Thanks,
Jamesy


(Jan Doberstein) #2

with vanilla Graylog that is not possible. You would need to use a Plugin for that. I think this might help you:

But you would need to extract the user names into a single field to be able to solve your described issue.


(Jamesy) #3

Hey Jan,

Thanks for this. it is a great plug in and seems to be what I need. it is behaving a little strangely at times though. My config is simply looking for the TargetUserName field of a stream that is filtering on event id 4625. I have set the conditions to look for 5 or more of the same value in this field within 1 minute. This works some times and displays the backlog but in some cases teh alert remains ongoing and unresolved and in others it spams my nbox with a target username that contains a long string of random data.


(Jan Doberstein) #4

without knowing what you have how configured it is hard to tell and more a wild guess. In addition this might be related to using the plugin - but for that I personal can’t give you any support.


(Jamesy) #5

Thanks Jan,

It wasn’t for support as much as just putting my experience of it out there for others. I’ll keep tweaking it until it works as expected and update if I have anything worth noting.

Cheers,
Jamesy


(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.