1. Describe your incident:
Hi. Using Graylog Open, I have a stream with 2 windows security events (4624 & 4625) There are many more successful logins(4624) then there are failures(4625). I want to display this in a line graph with green for success and red for failure, grouped by timestamp. This should be very simple but there doesn’t seem to be a way to get the widget to display them as separate axis’s, but it seems I need separate widgets and need to do them individually. Is there a way to do this with one widget?
Groupby: timestamp
Metrics Function: Count Field: EventID
Visualization: Line Chart Interpolation: Linear
2. Describe your environment:
OS Information:
Package Version: Graylog 4.3.0
Service logs, configurations, and environment variables:
3. What steps have you already taken to try and solve the problem?
You best bet would be to filter those to out in individual fields. Lets say you have a field called EventID:
You could do something like this.
rule "logon status S"
when
has_field("EventID") AND contains(to_string($message.EventID), "4624")
then
set_field("successful","true");
end
rule "logon status F"
when
has_field("EventID") AND contains(to_string($message.EventID), "4625")
then
set_field("failed","true");
end
Hi, and thanks for responding. I would have expected two separate line graphs, not just one. I can achieve one line just by searching on the EventID, so I’m expecting one line to show all successful logins at a given point in time and a separate line to show failures for a given point in time.
My other question is: where does the code you wrote integrate with Graylog? Is that entire thing a query the goes into the Stream Search field?
Oops. I see the blue line representing zero failures. Sorry I did not notice that when I responded initially. Now it’s just figuring out how to add to stream.
Well, I’m still struggling to make this work. I understand the instructions. When I try to apply the pipeline to the stream I want to use, I don’t get any messages, and that’s basically all that is in that stream are the two specific EventIDs. When I use the All Messages stream I can see stage 0 gets messages, but stage 1 never gets any messages (kind of like your example image shows), and when I search the All Messages stream I never see any added fields. I basically pasted your code into the Rules section, and used the Stage / Add Stage for the two rules.
I also verified that the appropriate processors are enabled. Just to clarify, this does work on the FREE version correct?
Yes,
For troubleshooting your pipeline rule you can add debug()
rule "logon failed"
when
has_field("EventID") AND contains(to_string($message.EventID), "4625")
then
set_field("failed","true");
debug("failed");
end
Then tail your log file
root# tail -f /var/log/graylog-server/server.log
Side note: you can add both rules in the same “stage”, that might be my mistake, I think if Stage 0 is execute it doesn’t go to stage 1 @tmacgbay might be able to help further on this.
I forgot to say, sometime it takes a few for the pipeline to kick-in. What I do is check my fields to see if they were created. Search page → Left side pane.
@miek My apologies, I just tested this out in the lab and I can confirm I was wrong on the staging. Put both rules above in “STAGE 0” that I showed above and connect it to “All Messages”.
the rules can both be placed in the same stage, each stage generally runs rules in parallel, you would only create a new stage/rule if there was a dependency on a previous rule.
Do you have a field called EventID broken out that just has the eventID number in it? I ask because in my system, the field is winlog_event_id so the rule would be:
rule "logon failed"
when
has_field("winlog_event_id") AND contains(to_string($message.winlog_event_id), "4625")
then
set_field("failed","true");
debug("failed");
end
Thanks to the both of you very much. I was about to respond with screen shots, when suddenly, it started working correctly. One of my stumbling blocks was not making two separate rules to put into Stage 0. Once I saw that step through, and used All Messages, It finally worked.
