Graylog Log Management Alerts


I am new to Graylog. I intend to use Graylog as a log management solution which can create alerts for the logs received from various network devices. I know that stream can be created and based on the predefined rules, alerts are created within the streams. However, I would like to know if its possible to create alerts based on the cases given below.

Current setup - Graylog 2.x with Elasticsearch and logstash.

  • Forwarding logs from various network devices (linux, windows, firewall- Juniper/Cisco ASA/Fortigate, Cisco switch, IDS, Active Directory) to Graylog.

Queries -

  1. Is there any custom set of rules/procedure available for the generating alerts for the below cases.
  2. Is it possible to create custom reports in Graylog


Malware Control
Reported malware threats
Anti- virus trends; prevented, detected, remediated
Spam trends; identified and removed
Malware attacked sources, and by prior vulnerability issues
Unusual traffic to and from sources
Source and destinations of malicious connections
Systems with multiple infections / top systems re- infected
Systems with suspicious malware activity
Anomalous network activity
A typical email or web communications
Anti- virus stop, start, update failures

Perimeter Defenses
Access failures by source and destinations
Inbound connections to internal sources by system, user, bandwidth and time
Outbound connections to external sources by system, user, bandwidth and time
Outbound DMZ connections to external sources by system, user, bandwidth and time
Perimeter attacks by category
Dropped traffic from DMZ, FW
Blocked internal sources by port, by destinations
Blocked outbound connections by port, by destination
Unusual DNS access and requests
Changes to active and standby configurations by perimeter device class
Daily or weekly alerts on top 10
Top unusual peak bandwidth utilization
Top bandwidth by protocol, by connection, by source, by destination
Configuration changes FW, VPN, WAP, Domain
Failure FW, VPN, WAP, Domain
Multiple login failures by FW, VPN, Domain
Excessive VM movement by VM, by guest host
Non- compliance VM movement by VM, by guest host
Wireless network access by location, by user, by failed attempts

Access Control
Top access failures by source, destination, user, business unit
Access failure by prioritized logical grouping
Top access destinations by users/groups and anomalous access
Access login success and failure (internal); by user, system, by device class, by time (with details)
Unusual access to prioritized logical grouping
Multiple account logons from different geographic locations
Suspicious access attempts or failure followed by success from same source
Privileged user access by access failure, by critical resource, by method, by different location/same time
Top privileged user access follow by configuration changes
Administrative changes to directory service user and group obMects; by admin, by user, by group, by resource criticality
Use of trusted and service accounts, by volume, by time of day, by domain
User activations, privilege change and terminations by device class
Remote access login success and failure (VPN, other); by user, by device class, by time with details
Unusual service account, terminated account use, login success and failures
Sources will include AAA, VPN, RADIUS, proxy and other authentication and access devices, directory services and host OS logs
Where possible, physical security device logs, such as badge or bio readers should be incorporated as an event log source
Maintaining baselines of location and access type for classes of users

Application defenses
Web application attacks per server and application
Web application attacks remediated
Top web application attack by type, by source, by destination
Web and database platform configuration changes
Web and database platform outages due to configuration changes
Application platform resource utilization anomalies
Database application security issues/trends
Database queries, inserts, deletes, creates that are atypical
Excessive denied requests (file, record, page) by web application by source, destination
Web application errors by web application by type
Top Critical SQL commands by administrator
Top monitored database table attribute changes
Top and unusual Web and database application access
Top Web application administrative changes
Top or Unusual application process resource utilization by application server
Web application outages associated with attacks or configuration changes


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.