We want to raise an alarm if a VPN user’s IP changes over time.
Description of steps you’ve taken to attempt to solve the issue
Not sure how to proceed with solving the issue.
Environmental information
Operating system information
Ubuntu
Package versions
Graylog 4.2.0
MongoDB 4.4.5
Elasticsearch 7.12.0
Logs are send to graylog via filebeats on port 5044. The vpn logs are run though an extractor that creates some new fields:
vpn_username
vpn_source_ip
GeoIP also adds the following fields:
vpn_source_ip_city_name
vpn_source_ip_country_code
vpn_source_geolocation
I’m wonder if I would need to create a lookup table with baseline data including username and vpn_source_ip, which could be used to compare against newer records and raise an alarm if its different? Or is there a better way of doing it?
Hello,
I seams you have the fields created already then maybe you use a pipeline.
Something like this.
When the vpn_username field data does not match vpn_source_ip set field to false and send alert.
Hi Gsmith,
I’m not sure I understand your reply or that my question was clear. I’d like to see if a user’s vpn IP changes over time. So say for the first 5 days a user logs in they have the same IP then on the 6th day, the IP changes, then I’d like to raise an alarm.
Hello,
Yes, I did understand your question sorry I didn’t explain in further detail. I believe using a pipeline for this function would help since you have the required fields already. The links above have a couple different examples to give you an idea/s.
Here is a quick mockup of what I was referring to in a pipeline.
rule "User IP Address "
when
contains (to_string($message.vpn_username), "some_user") ==
contains (to_string($message.vpn_source_ip ), "192.168.1.10")
then
set_field("vpn", true);
end
Rule "IP Address Changed"
when
has_field("vpn", false)
then
route_to_stream(id:"5d8acba383d72e04cba96317");
end
Then create a Event Definition for alert, graphs, etc…
I know basic pipeline rules and it does take me a few to get it right. @tmacgbay has more knowledge of pipelines then I do if you decide to go that route.
I would definitely use pipeline rules and table references to capture/alert on IP change… but unless you can pre-populate a table with the correct username to IP address you would need to have an enterprise license to build historical results captured within messages and stored into Graylog’s MongoDB database. I would ignore the GeoIP information and stick with comparing the original vpn_source_ip
If the amount of incoming data (all Graylog data) can stay below 5GB per day, you can get a free Enterprise license here.
Assuming you can pre-load a table with known good IP’s here is a sample pipeline rule that would set a boolean on a vpn_ip_match field:
rule "VPN - User from known IP"
when
is_ip(to_ip($message.vpn_source_ip)) &&
has_field("vpn_username")
//whatever other criterion you want
then
// get the known good IP for that username from table
let vpnU_storedIP = lookup_value("name_IP_table", $message.vpn_username);
// if the message IP is contained within the stored IP (Cheap "if") set field vpn_ip_match to true
// if it isn't, then false.
set_field("vpn_ip_match", contains(to_string($message.vpn_source_ip), to_string(vpnU_storedIP) ));
end
