My purpose is to display the number of users connected to the server on a dashboard.
To do that, we need to be able to dynamically move the log representing the accessor.
For example, when there are two users, the number 2 appears, and when one person disconnects, the dashboard should display 1.
The method I thought of was to delete the separately collected connection logs one by one whenever a log indicating that the connection was lost came in.
This can be done either in your environment devices or Graylog server.
I’ll give you two demonstration below.
Using windows, I have field called TargetUsrName. Then I have a stream /w Rules to collect users logging into device called “Windows: User Successful Logon Local”.
From that I made a widget as shown below.
For Graylog server there are two ways this can be done.
If your under 5 Gb day you can get the Enterprise License for free.
Second way which is a little harder and takes a more time to set up but its possible.
First enable Log4j2 Appender Configuration shown here
That creates a file called restaccess in /var/log/graylog-server/
Next, the file called restaccess needs to be picked up by your log shipper.
My log shipper called “Nxlog” I have configured all Nxlog INPUT’s config in a unique way in my environment. Some for VDI’s, DNS Server, AD servers, Etc… Take notice that I named this input in nxlog its called access.
<Input access> <---- this name
Module im_file
FILE "/var/log/graylog-server/restaccess.log"
SavePos TRUE
ReadFromLast TRUE
PollInterval 1
Exec $Message = $raw_event;
</Input>
So when the logs arrive I have a field call SourceModuleName and under that field I named it access in which then I created a stream called Linux: Source Access to collect only the logs and a rule matching the fieldSourceModuleName and contains the word Access.
The INPUT used for Graylog needs an REGEX extractor. I had to do this to pick up any sting of numbers within that file, just incase I missed someone’s name.
File for this demo
Newer Graylog versions now converts names into numbered string or UUID so I had to create a pipeline.
For every name that has access to Graylog I had to create a pipeline for them.(Copy && Paste Pipeline rules) took about 15 minutes to do like 30 people.
The Pipeline below it attached to the stream called Linux: Source Access then gets the number found in that message from restaccess. It adjusted field called “graylog_gui” and places the Name for the number found.
rule "Graylog Web Access Greg"
when
has_field("graylog_gui") AND contains(to_string($message.graylog_gui), "5e224e7683d72eff75055199")
then
set_field("graylog_gui","greg.smith");
end
Now its widget time.
One problem I noticed was as the user stays logged in it creates a message like every minute in the restaccess file, so basically it keeps counting.
This is a good starter. Unfortunately its not just one number count but every 15 minutes it updates so I know whos logged on or not.
Example below, you can see the user Greg and since I missed a pipeline configured, you can see the UID, Just so happens that UUID is the Graylog Sidecar collector.
My apologies, I got lazy and didn’t finish I also going to add a Widget with just a number sorta like what you wanted. I told you it would be a little harder, but it can be done since your only dealing with one server its pretty easy.
EDIT: I just noticed that your using GL Version 3.0. if your restaccess file has names you don’t have to use a pipeline. Just create a new field with the name of the user and that should be about it.
Here is my old post.
I am not sure if this works with your older version of Graylog but in mine (4.2.5) when I look at system/users and teams, I can see IP’s listed for anyone who is connected. I am sure that is listed in the MongoDB… So the ugly thing to do would to be have a script query Mongo at a small but reasonable interval and dump those IP’s and whatever metadata you want to a text file that is picked by local logging and processed into your dashboard… Man that is an ugly way to do it… but it might be an interesting project to get to know Mongo/local text logging/dashboards…
Thank for your reply!
I guess I didn’t write a lot of explanations because I was in a hurry
Syslog is sent from Client Server to Graylog Server, and I want to extract users who are connecting to Client Server from Syslog…
Could this also be easily found in MongoDB?
In that case you need to have your log shipper pick up the audit.log file in /var/log/
Then use an extractor ( regex ) to make a field so you can create your widget.
Example of my Linux environment.
Extractor
regex user\s(\w+) which makes my fields called “linux_user”
You could track logins that have happened over X time but even if syslog/audit.log/auth.log tells you about disconnects and logouts, Graylog doesn’t really have a way of counting those log in/out messages and applying the math for a solution. You could have a cron job that dumps the count of a who command to a text file watched by filebeat and have a dash that shows the last number picked up. Its ugly, but it would be accurate within the repetition you set in cron…
hey @gsmith, @tmacgbay!!!
you guys are so awesome!
It took a long time, but I finally solved the problem!!
I am so happy and I am just so grateful to you all…
It’s a pity that the widget has to be a data table, but it’s so great…!
Thank you very much and I hope to see you again next time.
Until then, stay healthy and happy everyone!
I may have taken a difficult path as I am a newbie who has just studied this field.
This is my script.
#/bin/bash
who --ips | awk '{print $5}' > /root/script/userip.txt
who --ips | wc -l > /root/script/user.txt
sed -i 's/\([^ ]*\)/[&]/g' /root/script/userip.txt
VERSION="1.1"
HOST=`hostname --long`
TIMESTAMP=`date +%s`
LEVEL=1
MESSAGE=`cat /root/script/userip.txt`
GRAYLOG_SERVER=graylog server ip
GRAYLOG_PORT=any port
cd /root/script
if [ -e user.txt ]; then
MSG="{\"version\": \"$VERSION\""
MSG="$MSG,\"host\":\"$HOST\""
MSG="$MSG,\"short_message\":\"$MESSAGE\""
MSG="$MSG,\"timestamp\":$TIMESTAMP"
MSG="$MSG,\"level\":$LEVEL"
for user in `cat user.txt`; do
MSG="$MSG,\"users\":\"$user\""
done
MSG="$MSG}"
echo $MSG | gzip -cf | nc -w 1 -u $GRAYLOG_SERVER $GRAYLOG_PORT
fi
cd
I created two text files to check the number of users connected to the server as well as the IP of the users who are connecting.
The reason for separating the files is to create a separate widget without extracting the string.
IP is included in one line in MESSAGE because multiple IPs cannot be included in MSG and only one is displayed.
Also, sed is a command to make it easier to see the IP displayed in one line.
And run the script every minute with crontab.
I have already sent two log files to rsyslog, so I made an INPUT using GELF, and they are successfully received.
I am still inexperienced in writing scripts, so it may seem inefficient because I have modified the existing GELF file.
This is my widget.
IP deleted all fields except MESSAGE PREVIEW for a clear view, and if Logon user sets Single Number, only the number of logs is displayed, so it is set as a data table.
I was going to ask, Is it possible to post that here. @tmacgbay stated above. This would be awesome and would make it way easier to point them to this script
