Hello everyone,
Until now, with my graylog server, i can collect and normalize the logs of a cisco switch and a palo alto firewall with a pack content in the graylog market place …I can also make reporting by making some custom dashboards to visualize the log stats,.but i find myself stuck at the step of “log correlation” …how can I do it by alerts?
What could I do? What scenario is possible in my case ?
Thanks
Short answer: you can’t correlate logs in GL. But there are two workarounds.
When I was in a need of correlate two different log source, I made a crontab script that exports data from one stream into CSV file, use it as data adapter and put it into pipeline to enrich logs from another stream.
Also, I saw a plugin ( https://marketplace.graylog.org/addons/3780dc6a-13f5-4f62-8546-595be7d3e37a ) for this.
Not sure which solution is good. But you can give it a try.
you might want to explain what you mean correlation.
I found that this word means different for many people - so we should align first on the meaning.
Correlation rules can identify an event that has caused the generation of several others (Example: a hacker who has entered the network and then manipulated such equipment …) I’m working on ( collect , normalization , analysis , correlation , reporting ) for logs …graylog is able to do that ?
Correlation is the main function of a correlator which makes it possible to discover the possible direct and indirect relations between the events which it has as input. Indeed, a correlator is a mechanism that takes as input events or low-level alerts from different devices or intrusion detection systems and outputs high-level alerts that are interconnected and presented later. like alert scenarios. We say that two alerts are correlated if the execution of one of them allows an intruder to launch the other
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
