Alerting based on event correlation with multiple lines

menardorama · October 19, 2019, 8:30am

Hi,

We began to use graylog recently and found that is very useful, really great tool.

One of the point interesting for us is event correlation and alerting.

We want to be able to correlate webmail connection for the same user based on ip src.

We want to use bigip logs for that, but the information can only be obtained when following this manual process

1.Search for new connection (Search filter : “New session”) and get sessionid and username fields
2.Search with this sessionid to find the field ip_src
3.Alert if ip geo location are different from a 10 minute period

The idea is to identify if accounts are being hacked.

Is it possible ?

Thanks

shoothub · October 21, 2019, 8:01am

If you want to use correlation, you need Enterprise license, which is free if you have lower than 5GB logs of day:
https://docs.graylog.org/en/3.1/pages/streams/alerts.html

Video how to install Enterprise license:

Form to get Enterprise license key:

system · November 4, 2019, 8:01am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Single Login, Multple IP addresses Graylog Central (peer support)	3	735	October 22, 2018
Email notification Graylog Central (peer support) alert	2	21	September 30, 2024
Individual Client Message Count Alerting Graylog Central (peer support)	3	481	September 24, 2018
Alert eventid and ip source.How to have corelation Graylog Central (peer support)	4	414	July 5, 2018
Graylog notification/streams/alerts Graylog Central (peer support)	3	19	December 20, 2024

Alerting based on event correlation with multiple lines

Related topics