We want to raise an alarm if a VPN user’s IP changes over time.
Not sure how to proceed with solving the issue.
- Graylog 4.2.0
- MongoDB 4.4.5
- Elasticsearch 7.12.0
Logs are send to graylog via filebeats on port 5044. The vpn logs are run though an extractor that creates some new fields:
GeoIP also adds the following fields:
I’m wonder if I would need to create a lookup table with baseline data including username and vpn_source_ip, which could be used to compare against newer records and raise an alarm if its different? Or is there a better way of doing it?