Context Collector for Graylog

Last week on Graylog Go it was my pleasure to present the Context Collector for Graylog and release it under the same license as Graylog Open.
The Context Collector plugin for Graylog unifies information scattered over different messages, identified by shared field values, into one new singular message, enabling easier filtering/search and giving analyst a fast overview over multiline logs.
Use Cases are common across enterprise-installations:

  • AD: Unify Logs with ID 4624 (login) with logs with ID 4672 to know thich user on which machine with which IP and which privileges logged on
  • postfix/sendmail: each email produces several lines of log with different pieces of information. Collecting them all in one line helps to understand what is going on with the mail
  • Cisco ASA: Event ID 734003 (DAP) the log tells a lot about the user logging in into AnyConnect VPN. Collecting all different information into one message allows you to search for old AnyConnect Users with Windows in a single query.
  • there are many more examples, just have a look at your logs

More information about the plugin is available at the github repo as well as on the webpage of my company.

1 Like

Good job @ihe , Ill try it out in few

great, let us know how it works for you!

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.