Correlate events

v_2nas · March 9, 2018, 9:27am

Hi Folks,

I wondering if correlating across 2 unique events using common value is possible.
For example
Event ID 4624 (successful logon) and EventId 4647 (logoff) has common field called LogonID

what would be a search query syntax be where logonID in eventid 4624 matches logonid of event 4647

Thanks,
Navdeep

jochen · March 9, 2018, 9:53am

That’s not possible with Graylog at the moment, but Graylog 3.0.0 might come with some new features enabling this kind of query.

rfinney · March 10, 2018, 4:17am

Such a tease! Come on @jochen you know you want to tell us the new feature!

system · March 24, 2018, 4:18am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Advanced Searches - Graylog Graylog Central (peer support)	1	521	November 15, 2017
Event_id field of Graylog Graylog Central (peer support)	5	2795	May 15, 2019
Graylog 3.1 Correlation Alert unexpected operation Graylog Central (peer support)	6	639	December 16, 2019
Query for consecutive event from same user Graylog Central (peer support)	3	554	February 10, 2020
Complex Event Processing Graylog Add-ons	6	1693	February 23, 2017

Correlate events

Related Topics