Correlation of events

Hello friends! Sorry for my english.
See if you can shed some light on me.
I have a challenge to implement a functional SIEM. That is, that it is not intrusive on the network.

Example:
I want to monitor network devices such as firewall, router, switch, etc…
That is, monitor and correlate events of increased network bandwidth usage with <ip/port><source/destination>

Such devices only support standard protocols such as SysLog and SNMP.

Then,
I need to monitor the health of a device so that it is possible to correlate the increase in network bandwidth usage with a given <ip/port><source/destination>
In this case I imagine that I need to monitor events of this type partly with syslog and partly with snmp.

SNMP - monitors events from bandwidth usage controls, up/down ports, etc…
SYSLOG - Monitors events to track or investigate anomalies.

How can I correlate an increase in network bandwidth usage with source and destination ip using GrayLog?

Thanks! Any help is welcome.

You can monitor metrics with Graylog using elasticsearche’s MetricBeat to feed metrics into Graylog along with any other log messages you are interested in. I don’t believe metricbeat is as efficient as using SNMP but if your focus is on metric correlation with log messages, that may be the way to go. If you search the forums, there are a few posts about how to get metricbeat to work with Graylog. There are plugins for using SNMP with Graylog but I haven’t worked with them. Here is one I found with a quick search

1 Like

Friend,
Thanks for the tip. And sorry for the delay in getting in touch with you.
And following in the same vein. See if you can give me another tip.

All messages I receive in Graylog have information about the bytes received and sent by the respective “log record or packet”.
So I believe it is possible to nest the sum of these bytes according to the search criteria. And so know how many bytes were spent in period X.

Any tips on how I can make it work?

In this case, Elasticsearch has saved the field data for bytes_received as Keyword rather than Long. It tends to default to keyword. Depending on how you are extracting the field, you can force the type to be long… if it is in the pipeline you would use the to_long() function… or you can create a custom mapping in Elasticsearch - I wrote up an article here on how I created a custom mapping and corrected the historical data. Either way you do it, the index it is saved to will continue to keep it a keyword until it is typed correctly AND you rotate the index. That’s the short.

Also of note, new questions should be in new topics… it helps to make the forum more searchable. :smiley:

Dear tmacgbay,
I will make new questions ask in a new topic.

Sorry if I’m asking the wrong question.
In this case, I’m able to extract just the integer value. Wouldn’t that be enough?

I don’t know enough about extractors to know if it would store in elacticsearch as a number even though it has been extracted as such - maybe @gsmith has an answer? You can use this command to query about the field type in your elasticsearch instance:

curl -X GET "<elasticServer>:9200/<index_name>/_mapping/field/*?pretty" | grep -B 5 -A 3 bytes_received

1 Like

Hello tmacgbay
I believe I ran the command correctly. The output was json

curl -X GET "localhost:9200/graylog_74/_mapping/field/*?pretty" | grep -B 5 -A 3 bytes_received

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 16132  100 16132    0     0  5251k      0 --:--:-- --:--:-- --:--:-- 5251k

          "origem_rule_type" : {
            "type" : "keyword"
          }
        }
      },
      "origem_bytes_received" : {
        "full_name" : "origem_bytes_received",
        "mapping" : {
          "origem_bytes_received" : {
            "type" : "keyword"
          }
        }

And as shown, the logged data is of the keyword type. And apparently it’s not numerical. And then I couldn’t use it for a sum operation on a panel. Correct?

It picked up origem_bytes_received … is that what you meant?

yes the type is keyword currently so you can not do maths against it. You will have to change the type with a custom mapping or set the type in the extractor - which I am unfamiliar with but there are methods mentioned in the GROK section…

@elias.medina

Example using an REGEX extractor with an “Numeric” converter se if that helps.

If I had an example of the message. I probably would have done it for ya already :laughing:

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.