Correlating logs with Graylog 3.0

kilbil77 · April 4, 2019, 1:39pm

Hello,
I am looking for a way to do some log correlation.
For exemple, I would like to calculate the duration of a ssh session when I receive a log "pam_unix (…) closed)
I have tried writing a pipeline rule to add the duration field in this kind of log but I cannot find a way to “query” the same index in order to find the start ssh session log.
I have seen the slookup plugin for graylog 2 but I am using Graylog 3.0.

Thank you =)

macko003 · April 8, 2019, 8:48am

not possible to correlation between messages in graylog.
You can use alerts, but it’s not really the same.

system · April 22, 2019, 8:50am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Corellating log messages Graylog Central (peer support)	2	436	March 28, 2018
Monitoring Active SSH/RDP Sessions Graylog Central (peer support)	1	2101	August 16, 2019
SIEM open source and Graylog Graylog Central (peer support)	2	633	April 9, 2020
Build Correlation Graylog Central (peer support)	4	1794	June 15, 2017
Corelations in Graylog Graylog Central (peer support)	4	397	July 29, 2020

Correlating logs with Graylog 3.0

Related topics