ALERT - Group by and Count Distinct

Hello everyone!

I’m using the graylog 3.3 version.

I would like to know if it’s possible or if you guys have a trick to create alerts grouping by one field and counting distinctly another field.

For example for failed authentication events:

Cases

• An user are trying to authenticate to many different hosts, so I would like a rule like I could group this single user and count how many unique hosts he is trying this.
• An user are trying to authenticate from many different IP

I know that was possible in previous graylog version with the plugin graylog-plugin-aggregation-count…

he @min

such is possible, you first need to create one event that has the username as key. as second field available the IP and the target.

now you can run a second event runner on the given events that can aggregate on the username grouped by targets … with the enterprise plugins you could correlate that you want to get a notification if the IP of that user is changing or similar.

Jan

Hey @jan!

Thank you for reply! I’m not sure if I got it.

First I need create an event that will catch the failed authentication events and add custom fields on it, the username as key and a target field with the source and destination IP.

Capture1879×406 26.5 KB

And then do I need create another alert? Alert using the Event Stream? How could I make it?

Thanks,
Min

you define the second event taking the event stream and search for the keys. you can work with the created events like with other messages from streams.

with the correlation engine you select the kind of events …

Thanks Jan! I think I got it…

I was able to create the event with the fields, but not exactly alert by count distinctly.

So, do I need the correlation engine to perform this?

Hey Jan,

I was doing some tests…

I can’t select the “All Alerts” stream on the alerts.

How can I do this?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.