Alerting for Duplicates in log messages

Hello all,

Please see screenshot attached. I will attempt to describe this issue the best I can.

I am currently alerting for “login incorrect”, however, I would like to alert when we see logs with the same email address, as highlighted.

New to the forum so apologies if something similar has been highlighted previously.

Please let me know if more information is required.

he @colin.jones

what Graylog version are you using?

Did you normalize the log? Mean did you extract the login and the mac into a single field?

Hi Jan,

Thanks for replying.

Graylog v2.5.2+4f6d123

Sorry Jan I am not sure what you mean?

At the moment we have set up the alerts to go to Slack. What I want to happen is if a “login incorrect” message populates and has the same email address or MAC Address in the field, to alert. Is that clearer?

Thanks in advance.


he @colin.jones

to be able to alert on such a detail you need to extract the given information from the message into a single field. We call that normalisation. The advantage is that you extract the valuable information out of the original message on ingest and you do not need to store the additional overhead. In addition you could more easy query on the information because they are unified and are formatted in the same way. This makes the queries for alerting easier and allows the kind of alerting you are looking for.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.