I was hoping to gather some tips/suggestions from the community. Assume Graylog is fully configured, and streams are set up to generate notifications/messages. What types of events/activities do you think are important to capture and be notified of?
For example, I have a stream that sends a Slack notification whenever a specific username is used to initiate an SSH session.
To simplify: If you had an ideal Graylog setup, what events would you want it to capture and report back to you?
(Iām new to Graylog and Iām trying to familiarise myself with it and how I can best optimise security)
I personally look at logon and logoff session. I also look at port like you do SSH.
Also critical security events like user logins/logoffs, access denied attempts, account management changes, and privilege escalations. Monitor events related to system crashes, driver issues, service failures, and hardware problems. Track events logged by specific applications, which can indicate issues with application functionality or user errors.
Specific events to watch for:
Event ID 4625: Failed account logon attempt
Event ID 4634: Account logoff
Event ID 4672: Special privileges assigned to a new account
Event ID 4719: System audit policy change
Event ID 4656: A new process created with elevated privileges
Thanks for your input, I think the most important thing is to record and notify events that are applicable to the environment(s) being analysed, for example, we have essentially three different office locations and we use IaaS in regards to servers and as such we use VPNs to access different networks so we record and notify failed VPN logon attempts when they hit a specific frequency.
I had completely forgotten that Event IDs existed so thank you for reminding me!