We began to use graylog recently and found that is very useful, really great tool.
One of the point interesting for us is event correlation and alerting.
We want to be able to correlate webmail connection for the same user based on ip src.
We want to use bigip logs for that, but the information can only be obtained when following this manual process
1.Search for new connection (Search filter : “New session”) and get sessionid and username fields
2.Search with this sessionid to find the field ip_src
3.Alert if ip geo location are different from a 10 minute period
The idea is to identify if accounts are being hacked.
Is it possible ?