I have firewall logs streaming to Graylog. For all blocked traffic, I want an alert to trigger on every unique source IP but list all individual destination ports it attempted to connect to in the alert notification. I only want alerts to be grouped by the source IP of the traffic, so I set source_ip (a field parsed from the original message) in the “Filter & Aggregation” > “Aggregation” > “Group by Field(s)” section. This works fine.
My issue is in the Custom Fields section… I want to include the destination_port field (a field parsed from the original message, just like source_ip above) in the alert notification to give me extra context when I receive the alert. However, it appears the only way to expose the destination_port field from the original message(s) is to add them in the “Group by Field(s)” section, which will group alerts by each unique combination of source_ip and destination_port, which is not what I want. Again, I want an alert for each unique source_ip value with all destination_port values associated with the source_ip alert group.
One idea I had was to access the desired field through the backlog, but the backlog configuration in the Notifications section of the Event Definition forces you to set a limit for the number of messages in it, which is not what I want. I want every message that contributed to creating the alert so I can fully populate the list of destination_port values in the alert. For some reason, this configuration is possible in the configuration of the Notification itself- there, you configure the “Message Backlog Limit”, and if you set it to 0, no limit will be enforced.
My Environment:
- Linux 4.19.0-12-amd64
- Debian 11.0.13
- Graylog 4.2.0+5adccc3
- MongoDB 4.2.10
- Elasticsearch 7.10.2
