Last week on Graylog Go it was my pleasure to present the Context Collector for Graylog and release it under the same license as Graylog Open.
The Context Collector plugin for Graylog unifies information scattered over different messages, identified by shared field values, into one new singular message, enabling easier filtering/search and giving analyst a fast overview over multiline logs.
Use Cases are common across enterprise-installations:
- AD: Unify Logs with ID 4624 (login) with logs with ID 4672 to know thich user on which machine with which IP and which privileges logged on
- postfix/sendmail: each email produces several lines of log with different pieces of information. Collecting them all in one line helps to understand what is going on with the mail
- Cisco ASA: Event ID 734003 (DAP) the log tells a lot about the user logging in into AnyConnect VPN. Collecting all different information into one message allows you to search for old AnyConnect Users with Windows in a single query.
- there are many more examples, just have a look at your logs
More information about the plugin is available at the github repo as well as on the webpage of my company.