Correlating events from multiple streams

Miki · October 8, 2025, 6:06am

Hi everyone,

I’m using the free version of Graylog 6.3.3.

Is there a way to create an alert that triggers only if both of these log events occur (from different streams) within 5 minutes?

Stream AD → winlogbeat_event_code:4625
Stream FA → reason:sslvpn_login_permission_denied

Right now, I’m using this query:

(winlogbeat_event_code:4625 AND winlogbeat_winlog_event_data_AuthenticationPackageName:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0) OR reason:sslvpn_login_permission_denied

However, this also triggers when only one of the conditions is met, and I’d like it to fire only when both happen close together in time.

Any ideas or best practices to achieve this in the free version?

Thanks!

drewmiranda-gl · October 13, 2025, 2:23pm

Howdy and welcome!

There may be some way to do this outside of Graylog Enterprise, but my knowledge about solving this problem is specific to the paid version of Graylog (full disclosure: as an employee). Graylog Enterprise does provide this correlation engine capability.

system · October 27, 2025, 2:23pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Multi Stream Alert Graylog Central (peer support)	1	406	October 23, 2017
Corellating log messages Graylog Central (peer support)	2	447	March 28, 2018
Complex Event Processing Graylog Add-ons	6	1776	February 23, 2017
Stream how do correlation betwen 2 rules Graylog Central (peer support)	8	2241	June 29, 2018
Combine search queries, time based Graylog Central (peer support)	2	458	December 6, 2019

Correlating events from multiple streams

Related topics