Extract relevant messages based on a list of values

Mat · September 12, 2018, 3:15pm

Hi !

I’ve been asked to create complex rules on the Graylog we already use, but I can’t find any starting point.

We use Opentext to store all our internal documentation. This Opentext is installed over IIS. We already collect IIS logs in Graylog and apply few basic rules.
Log entries in IIS specify the URL accessed, and, more importantly, the file identifiation number a user is accessing (fileID).

We would like to trigger an alert each time some of the most sensitive files are accessed. So we need to compare the log entry field “fileID” (I’m not sure this is the correct wording) against a long (100+) list of sensitive fileID.
We could write a long rule with 100+ “OR”, but it seems a painful way to go (and not very future-proof). I was wondering if we could compare the field against a file (or a set) containing all the sensitive fileID.

I’m an absolute newbie concerning graylog, and despite hours of searching (on this forum and on the web) the only clue I found is this topic : Rule matching against a long list of values? answer is quite short and outdated.

I’m sure a detailed anwser is waiting for me somewhere, but I don’t know the correct wording that could lead me to this answer. Better, if someone have an answer, or specific documentation, it will help me a lot

Thanks a lot

derPhlipsi · September 12, 2018, 3:29pm

Hey @Mat,

have a look at http://docs.graylog.org/en/2.4/pages/lookuptables.html

This is exactly what you need.

Little hint list:

Create a lookup table with a CSV file (or even better a HTTP endpoint when you have one you could query to get the most up-to-date data) that has all your sensitive fileIDs.
Create a pipeline with a rule that sets a field like isSensitiveFile = true of a fileID matches one listed in your lookup table. Example:

rule "isSensitiveFile"
when
    lookup_value("sensitiveFileIDs", $message.fileID) != null //Or select a field that you can check here as single value return in the lookup table for more granular matching
then
    set_field(field: "isSensitiveFile", value: true);
end

Create an alert that looks for this isSensitiveFile field and use the backlog to put more specific information in the notification text.

Greetings,
Philipp

Mat · September 12, 2018, 4:07pm

Thank you so much Philipp. It seems it is exactly what I was looking for !
I’ll try to implement it right away

system · September 26, 2018, 4:07pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Search and/or compare lists of IPs from a file Graylog Central (peer support) pipeline-rules , send-csv-logsnx , alert	4	818	March 6, 2023
Rule matching against a long list of values? Graylog Central (peer support)	1	409	February 26, 2017
Match a value within a lookup table Graylog Central (peer support) pipeline-rules , route-to-streampl , debuggingpl	3	1919	October 8, 2020
How to approach file rename alerting (Sysmon) Graylog Central (peer support) pipeline-rules , route-to-streampl	4	1398	August 27, 2021
Get Notification for Unknown Devices Connecting to a Network Graylog Central (peer support) pipeline-rules , route-to-streampl	10	1220	September 15, 2021

Extract relevant messages based on a list of values

Related topics