Hi,
I am trying to wrap my head around trying to do a more complex search in Graylog and need a bit of a sounding board on if it is possible at all.
I am ingesting logs from a totally awesome product called Symantec Messaging Gateway (sarcasm intended). Extracting the fields and pumping the IPs through the Graylog threat engine. It is in turn reporting any threats.
At this point, you are probably wondering why. Because we have a lot of missed identifications and “spam storms” coming through that i am trying to catch before our users report them.
It sends about 7-8 messages for every email that goes through it. I have written extractors for all the fields and have those working really well so that all the data is indexed and searchable.
What i am left with is 2 messages that look like this:
- SERVERNAME bmserver: 1592204913|c0a86442|LOGICAL_IP|1.1.1.1
- SERVER NAME ecelerity[32024]: 1592204914|c0a86442|DELIVER|192.168.100.57:25|email@address.com
With everything between the pipes extracted to individual fields and the appropriate threat detected fields etc etc added to the first one.
So what i want to know is messages that feature the DELIVER flag but also have a threatdetected from an earlier syslog message, which only exists on the LOGICAL_IP flag, essentially, joining on the message ID which is c0a86442
Problem is that i don’t think this is possible in standard query, but was wondering if there was a way to do this i wasn’t aware of or haven’t thought of.
TIA