We are currently on version 2.4. We are sending logs to Graylog server from our windows / linux clients.
Based on the events that it is collecting, Is there any way to get alerted on stuff like "multiple login failures " or “brute force login attempts” when someone fat fingers their password or keeps guessing password while trying to login to those clients?
I understand Graylog is not a SIEM but can it be configured to alert on such security events ?
If so, how do we go about it ?
Quick answer: it works well with events, which have been experienced before - you can easily design simple alert conditions for alarm e-mail, like if count of specific events (i.e. Windows 4625 event) exceeds some threshold value in specific period of time. To be sure that alert works, it shall be be imitated and tested - if you watch for HDD failure event in disk array or network loop condition in manageable switch events - it have to be registered at least once before to make correct conditions.
Graylog documentation IMHO is quite good: http://docs.graylog.org/en/2.4/pages/streams/alerts.html
O.K., but take it as guideline, probably not perfect, but at least working
Create a new stream based on default index set - type something in Title and Description (checkbox “Remove matches” from ‘All messages’ stream shall stay unchecked).
Press Manage Rules for your creation and go straight to Add Stream rule. Type EventID in Field, it shall autocomplete (if such field has been parsed from your events), and “match exactly” to 4625 - it allows to filter only this event from all Windows generated filth.
Press Back button of your browser and Start Stream. On busy streams you shall see more than 0 messages/second, in case of idle test system you can make some failed attempts and then verify, if you see them if clicked on Stream title. If there is no result, go back to 2) and use “1. Load a message to test rules”, as it can help to find problem.
There is no need to Manage Outputs for this stream, so we can go to the Alerts form.
Let’s Manage Conditions, because we want an alert, if there are let’s say 300 events with ID 4625 in 15 minutes period. Values you can later adjust to your needs.
Add New Condition initially wants to know Stream Title, which we named in 1) and Condition type, let’s choose here Message Count Alert Condition and then Add Alert Condition by filling form, which has great field descriptions. I suggest to put at least 1 in Message Backlog - it helps to jump from e-mail straight to message in Graylog interface (if you have access).
Manage Notifications shall be used to Add New Notification.
Don’t ask me why you have to choose stream again (yes, you did it already in conditions) and also E-mail Alert Callback option shall be chosen in Notification type.
Add Alert Notification opens another well described form, except for field E-Mail Receivers, you have to press Enter after each Email you type here and in confirmation it changes to the blue rectangle form.
You can test your notification by Test button. Great, if you receive something, otherwise search for E-mail section in Graylog config file, it has some settings, which most probably will require graylog restart if changed. BTW it is great idea to make full test by setting small treshold or by bruteforcing, as notification test doesn’t check conditions.