Alerting based on event correlation with multiple lines


We began to use graylog recently and found that is very useful, really great tool.

One of the point interesting for us is event correlation and alerting.

We want to be able to correlate webmail connection for the same user based on ip src.

We want to use bigip logs for that, but the information can only be obtained when following this manual process

1.Search for new connection (Search filter : “New session”) and get sessionid and username fields
2.Search with this sessionid to find the field ip_src
3.Alert if ip geo location are different from a 10 minute period

The idea is to identify if accounts are being hacked.

Is it possible ?


If you want to use correlation, you need Enterprise license, which is free if you have lower than 5GB logs of day:

Video how to install Enterprise license:

Form to get Enterprise license key:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.