Hi, i need help
I am using this query
application_name:openvpn AND (message:“Peer Connection Initiated” OR message:“could not authenticate”)
To get an email alert notification
Why i am using two thing because in one logs i can see username which couldn’t authenticate and in Peer Connection, I can see username with IP address.
so, i am getting two different emails.
But i want to merge both logs on the basis of same username and timestamp and get Sigle email with both message instead of two different.
How?
Assuming your Peer Connection log always arrived first, you could write username to a lookup table as the key and store the ip with it. Then with the second log you use the username to perform a lookup against the table, grab the ip and store it in a new field. Fire alert based on the second message and pull the IP and username as fields into the event.
If you were using enterprise there might also be something that could be done with the correlation engine.