Finding if a users IP changes

darrinh · September 22, 2021, 12:13am

HI all,
We currently have our vpn logs going into graylog and have created some notifications and alerts around that data. Once of the ones we want to create is an alarm that will trigger if a users source IP changes substantially. For example, user foo logs in mostly as

foo/192.168.1.1

Suddenly this changes to:

foo/10.92.1.1

how would I go about create an alert that could be triggered by that scenario?

Users are using Linux desktops over a vpn.

many thanks
Darrin

gsmith · September 22, 2021, 12:20am

Hello && Welcome

This is possible but unfortunately I don’t know how you set up you environment for us to proceed.
This would require how you are ingesting logs, configuration, etc…
Maybe this post could help

EDIT: Those are completely two different networks 192.168.1.1 and 10.92.1.1 . I personally never had a node switch networks even if I had DHCP enabled.

system · October 6, 2021, 12:20am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Create an alert that triggers on changing IP Graylog Tech Challenges	2	473	July 23, 2021
Finding if a users IP changes (part 2) Graylog Central (peer support) pipeline-rules , route-to-streampl	5	614	November 19, 2021
Single Login, Multple IP addresses Graylog Central (peer support)	3	735	October 22, 2018
Alert on Impossible Journeys Graylog Central (peer support)	2	523	April 9, 2018
GrayLog 5 and Alerts Graylog Central (peer support)	3	366	June 30, 2023

Finding if a users IP changes

Related topics