Graylog notification/streams/alerts

Hi everyone,

I was hoping to gather some tips/suggestions from the community. Assume Graylog is fully configured, and streams are set up to generate notifications/messages. What types of events/activities do you think are important to capture and be notified of?

For example, I have a stream that sends a Slack notification whenever a specific username is used to initiate an SSH session.

To simplify: If you had an ideal Graylog setup, what events would you want it to capture and report back to you?

(Iā€™m new to Graylog and Iā€™m trying to familiarise myself with it and how I can best optimise security)

Hey @Conor_Healy

I personally look at logon and logoff session. I also look at port like you do SSH.
Also critical security events like user logins/logoffs, access denied attempts, account management changes, and privilege escalations. Monitor events related to system crashes, driver issues, service failures, and hardware problems. Track events logged by specific applications, which can indicate issues with application functionality or user errors.

Specific events to watch for:

  • Event ID 4625: Failed account logon attempt
  • Event ID 4634: Account logoff
  • Event ID 4672: Special privileges assigned to a new account
  • Event ID 4719: System audit policy change
  • Event ID 4656: A new process created with elevated privileges
  • Event ID 5152: A file system filter driver loaded
1 Like

HI @gsmith,

Thanks for your input, I think the most important thing is to record and notify events that are applicable to the environment(s) being analysed, for example, we have essentially three different office locations and we use IaaS in regards to servers and as such we use VPNs to access different networks so we record and notify failed VPN logon attempts when they hit a specific frequency.

I had completely forgotten that Event IDs existed so thank you for reminding me!

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.