Hi,
I am fairly new to Graylog, having done a Graylog 4.1.3 installation from scratch on Debian 10, Elasticsearch 7.10. So far, a lot of things are running smoothly, but I have problems understanding the concept of custom fields in alerts/events. Exact usecase:
I have an aggregation event that collects Windows Event ID 4625 (failed logon) over 5 minutes. If there are more than 4 events for the same User (Aggregation → Group by field(s) → “TargetUserName”) , the event is triggered.
This works fine.
My problem is the custom fields. I would like to integrate all Workstations where the user has tried to log on in the event. From my understanding, this should be possible with CustomFields in the event definition. So I defined a field
Field Name: FailedWorkstations
Is Key?Yes
Value Source: Template
Data Type: string
Configration: template: “${source.WorkstationName}” require_values: false
→ it shows the custom field in the event with the username. So, the syntax would work, but only for TargetUserName (which I already have, because I aggregate on this one).
Looking for a solution, I stumbled across “backlog” to be enabled. But… I do not have a notification defined, I just want to see the event in the GUI (for now). Anyway, I created a dummy mail notification and set backlog to 5, but this didn’t change anything.
Is there a way to include the workstation names in the event as custom field?
Otherwise, we would have to create a search based on the time and filter of the event manually (?) Or is there a way to quickly create a search filter for all messages that are related to the event?
I might be able to help you with this.
First, I use GELF input for all my windows devices this creates all the fields needed. If you are using something like Syslog inputs you could create extractors to make a custom filed. I have gone that route and I found it to be a lot easier just letting Elasticsearch make them for me especially with Windows devices. The downside to this it will create a lot of fields and depending on how much room you have on your Graylog server you might want to be careful. This also depends on how much logs you are ingesting.
This is my input configured.
Here is an example of message received. I think these fields you were looking for , If I’m correct?
I did try just creating the custom fields before but later on I was creating a lot of extractor which started using more resources on my Lab GL server. I found it easier to expand the volume.
Hope that helps
EDIT: GELF/UDP input will do the same as shown above.
Hi gsmith,
thank you so much for your reply! I still think that I misunderstand the custom field in an event. But I got it sorted by generating an eMail alert, including backlog and per backlog message the fields I need (workstation + TargetUserName).
As explained above, I actually tried to use the custom fields to log all workstations, where the user had tried to login in the messages leading to the event threshold; but it looks like it will not collect these values across the messages. So there is no way to do this without an eMail alert (to just display the event in GL GUI).
Extractors or any other method to gather info should not be necessary, as I already have the fields in the Windows Event logs (gathered by WEF/WEC and NXLOG). It was just about displaying it in the event without an alert.
Anyway, I’ve got it going more or less. I need to put some more effort in possible uses for these “fields” in event definitions.
best regards
Marcus
Hello,
Thank you so much for sharing! I have configured it the same way now, which means I added Workstation to the GroupBy Fields. Now the customfield “Workstation” is also filled, but of course, the alert only triggers when a user login fails on the same workstation in a certain timeframe.
Actually, I also wanted to alert failed logins for same user across multiple workstations (i.e. password spraying) - and then have a list of all workstations where this happened. But the custom field seems to take only a single value, not a list of workstations from all the messages accounting to the alert. And that’s what I would get with the backlog, but only via mail. I also tried to get this by creating a custom field referring to backlog:
template: “${foreach backlog message} User: ${message.fields.TargetUserName} WorkStation Name: ${message.fields.WorkstationName}”
but this field doesn’t even show up in the event, so I guess it is not accepted to use it (though it accepts it when configuring fields).
So far, I couldn’t figure out if this is possible at all, guess I will have to go with backlog in mail…
Best regards
Marcus
I was working on something similar, trying to configure custom fields using a template but it was only working for groupBy fields. I was only able to see values for ${source.groupByField} in the template output. I have a notification & backlog enabled but the template only works for groupBy fields, and not any of the event fields, eg. ${event.timerange_start}.
I’m able to see values for event fields in the notification template but it does not work in custom fields template. Not sure if I’m using it incorrectly
It seems that you may have a configuration error in you notification template. As for your Alerts & Events section for each USER that has failed to logon you only will see there name and workstation plus how many times they failed to logon. So if you have two USERS failing to logon to the same/different device you will get two different descriptions this is part of the grouping. If you just want to see a list of failed logon USERS then execute something like this below, you will need to use your search box in the upper left corner. To be precise, your naming convention needs to be unique
What would be really helpful is to show what you are looking at ( screenshots).and your configuration for Event Definitions & Notification template. I feel like were trying to do multiple settings at once. Maybe work on Event Definitions and then we can work on your Alerts.
Please take note, if the message does not have a field with WorkstationName or TargetUserName you probably will not see the data in the eMail. If that message does have these fields and it will not show in your eMail then I would assume it would be a configuration error. Only good way is to see your whole configuration so we may find the imperfection within the configuration/s made. When posting code or files please use the markup. This way we see what went wrong. Sometimes its a positions or indents in a file that may affect your outcome.
EDIT: I just realized that GL 4.1.3 notification templates now have HTML Body Template. During my upgrade it did not fill it in.
Hi all,
OK, so the Screenshots from the event definition (as a newbie I can only attach one img):
Filter + Aggregation: as you can see, I aggregate by TargetUserName count only. This enables us to count failed logins across multiple workstations. But the workstation’s names aren’t put into the custom fields, as mentioned above)
Fields: including the Workstation field, which I actually wanted to list all workstations of the messages contributing to this event; and the backlog field, as taken from alert definition, which is just not allowed here - at least it doesnt work.
The eMail alert works just fine for me, also with HTML. It shows the backlog as expected. But in the Graylog GUI, the events only populate custom fields that it aggregates by - not the list of workstations as I intended. Is it possible that the custom field would take only one value, and as soon as there are multiple values, it will not fill it?
Hi,
that comes close to what I have, but there’s a slight difference to what I was looking to achieve, as you set the count() threshold to >0 (mine is >=5) . What I would like to see as an event is when there were >=5 failed logons with the same username on one or multiple workstations. That’s working so far, even when the failed logins are distributed across multiple workstations. But what I do not see in the event is the name of those multiple workstations. I tried to put in in
Testing in my lab with the configuration you posted above. I was unable to create a list of workstations from a user and vice versa.
Best I could do was create a widget. Since I have one dashboard over looking all events in my environment, this was a lot easier.
To be honest, I really don’t know if this can be done in the Alerts & Events section, but like I said there are other ways to achieve this. Maybe someone here was able to do this.
This on my dashboard that over looks my environment.
That sceenshot shows me Paul/Administrator/greg.smith failed to logon all the Workstation names and how many time they did this on each server.
If I’m misunderstanding you please show a screen shot for better clarity.
Hope that helps
Hi,
this looks like the closest we will come to the solution, indeed. I configured a similar widget, plus maybe I will create an email notification with backlog.
Thank you so much for taking your time to check this in your environment!
