I’m testing Graylog with my experiance on siem’s platforms. So I’m excite with this tools and this community, Great job for everydoby!
I set two firewalls in Graylog but I’m trying do an one rule that is:
The firewall A is for frontend and the firewall B is for Backend and both with signature (IDS) applied.
I would set a new condition, for example:
- if the firewall A pass all events but the firewall B block some evento…How I can do that? So I want explain better, the idea is create a new alert if the firewall B no block an event. I show the flow:
Internet -> firewall A - pass events -> firewall B - block events
Internet -> firewall A - pass events -> firewall B - pass events (not block)
I would set a new alert for condition number 2, is It possible?
I Hope that you can help me!