Hello guys, im new to graylog and im using one of the graylog ‘vm appliances’ (Ova) in this phase of testing/learning the platform.
So, i want to ship logs from Office365 to Graylog, so, i am using o365beat to do it. I also want to create some alerts and notifications via email. Already configurated it and everything seems to be working fine but i’ve found a “little problem” that i’ll explain with a little example:
My Goal:
i want to get an alert every time a user gets logged in outside of “Portugal” and my search query looks like this:
UserLoggedIn AND NOT scr_ip_geo_country:PT
search within the last: 1 minute
Execute search every: 1 minute
My problem:
A log from office may have a timestamp from per example 10:20:00 but it will only be created and shipped to graylog per example at 10:35:00 and my alerting rule wont trigger this event. So, i did increase the “search within” to 30 minutes, and the alert will be triggered but multiplied in every search query’s and ill have multiple alerts for the same event.
Does anybody know any way to overtake this “problem”?
Thank you all for your time and help, really appreciate it.
