Finding if a users IP changes

HI all,
We currently have our vpn logs going into graylog and have created some notifications and alerts around that data. Once of the ones we want to create is an alarm that will trigger if a users source IP changes substantially. For example, user foo logs in mostly as


Suddenly this changes to:


how would I go about create an alert that could be triggered by that scenario?

Users are using Linux desktops over a vpn.

many thanks

Hello && Welcome

This is possible but unfortunately I don’t know how you set up you environment for us to proceed.
This would require how you are ingesting logs, configuration, etc…
Maybe this post could help

EDIT: Those are completely two different networks and . I personally never had a node switch networks even if I had DHCP enabled.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.