Check conditions

Graylog Central (peer support)
1

Hi community!
I’m testing Graylog with my experiance on siem’s platforms. So I’m excite with this tools and this community, Great job for everydoby!
I set two firewalls in Graylog but I’m trying do an one rule that is:

  1. The firewall A is for frontend and the firewall B is for Backend and both with signature (IDS) applied.

  2. I would set a new condition, for example:

  • if the firewall A pass all events but the firewall B block some evento…How I can do that? So I want explain better, the idea is create a new alert if the firewall B no block an event. I show the flow:

Condition:

  1. Internet -> firewall A - pass events -> firewall B - block events

  2. Internet -> firewall A - pass events -> firewall B - pass events (not block)

I would set a new alert for condition number 2, is It possible?

I Hope that you can help me!

Regards

2

Ich need to point at: Execute some rule but in order

again

3

Sorry because can seem dame but the idea is different. I search witch the condition and not the order.

If i have two firewalls or any devices I need check the condition.

My example is the alert where two firewalls has all events like pass but and one firewall is not permit some events, alert in this situación.

It is not relevance the order.

Thanks

4

but the solution will be the same … the new version. What can alert on multiple conditions and will have the option to act on them.

5

Okis, thank to very much Jan!!!

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.