Finding if a users IP changes (part 2)

Description of your problem

We want to raise an alarm if a VPN user’s IP changes over time.

Description of steps you’ve taken to attempt to solve the issue

Not sure how to proceed with solving the issue.

Environmental information

Operating system information

  • Ubuntu

Package versions

  • Graylog 4.2.0
  • MongoDB 4.4.5
  • Elasticsearch 7.12.0

Logs are send to graylog via filebeats on port 5044. The vpn logs are run though an extractor that creates some new fields:

  • vpn_username
  • vpn_source_ip

GeoIP also adds the following fields:

  • vpn_source_ip_city_name
  • vpn_source_ip_country_code
  • vpn_source_geolocation

I’m wonder if I would need to create a lookup table with baseline data including username and vpn_source_ip, which could be used to compare against newer records and raise an alarm if its different? Or is there a better way of doing it?

many thanks

I seams you have the fields created already then maybe you use a pipeline.
Something like this.
When the vpn_username field data does not match vpn_source_ip set field to false and send alert.

To give you some ideas you can look here.

Or here

I haven’t made a lookup table yet but that also sound feasible.

Hi Gsmith,
I’m not sure I understand your reply or that my question was clear. I’d like to see if a user’s vpn IP changes over time. So say for the first 5 days a user logs in they have the same IP then on the 6th day, the IP changes, then I’d like to raise an alarm.

many thanks

Yes, I did understand your question sorry I didn’t explain in further detail. I believe using a pipeline for this function would help since you have the required fields already. The links above have a couple different examples to give you an idea/s.

Here is a quick mockup of what I was referring to in a pipeline.

rule "User IP Address "
   contains (to_string($message.vpn_username), "some_user") == 
   contains (to_string($message.vpn_source_ip ), "")
   set_field("vpn", true);

Rule "IP Address Changed"
    has_field("vpn", false)

Then create a Event Definition for alert, graphs, etc…

Or you could create a lookup table.

I know basic pipeline rules and it does take me a few to get it right.
@tmacgbay has more knowledge of pipelines then I do if you decide to go that route.

I would definitely use pipeline rules and table references to capture/alert on IP change… but unless you can pre-populate a table with the correct username to IP address you would need to have an enterprise license to build historical results captured within messages and stored into Graylog’s MongoDB database. I would ignore the GeoIP information and stick with comparing the original vpn_source_ip

If the amount of incoming data (all Graylog data) can stay below 5GB per day, you can get a free Enterprise license here.

Assuming you can pre-load a table with known good IP’s here is a sample pipeline rule that would set a boolean on a vpn_ip_match field:

rule "VPN - User from known IP"
    is_ip(to_ip($message.vpn_source_ip))      &&
    //whatever other criterion you want
    // get the known good IP for that username from table
    let vpnU_storedIP = lookup_value("name_IP_table", $message.vpn_username);
    // if the message IP is contained within the stored IP (Cheap "if") set field vpn_ip_match to true
    // if it isn't, then false.
    set_field("vpn_ip_match", contains(to_string($message.vpn_source_ip), to_string(vpnU_storedIP) )); 


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.