Hello @pat-bung
This can be done either in your environment devices or Graylog server.
I’ll give you two demonstration below.
Using windows, I have field called TargetUsrName. Then I have a stream /w Rules to collect users logging into device called “Windows: User Successful Logon Local”.
From that I made a widget as shown below.
For Graylog server there are two ways this can be done.
- If your under 5 Gb day you can get the Enterprise License for free.
- Second way which is a little harder and takes a more time to set up but its possible.
First enable Log4j2 Appender Configuration shown here
That creates a file called restaccess in /var/log/graylog-server/
Next, the file called restaccess needs to be picked up by your log shipper.
My log shipper called “Nxlog” I have configured all Nxlog INPUT’s config in a unique way in my environment. Some for VDI’s, DNS Server, AD servers, Etc… Take notice that I named this input in nxlog its called access.
<Input access> <---- this name
Module im_file
FILE "/var/log/graylog-server/restaccess.log"
SavePos TRUE
ReadFromLast TRUE
PollInterval 1
Exec $Message = $raw_event;
</Input>
So when the logs arrive I have a field call SourceModuleName and under that field I named it access in which then I created a stream called Linux: Source Access to collect only the logs and a rule matching the fieldSourceModuleName and contains the word Access.
Example of the received message.
The INPUT used for Graylog needs an REGEX extractor. I had to do this to pick up any sting of numbers within that file, just incase I missed someone’s name.
File for this demo
2022-01-17 21:50:29,711 DEBUG: org.graylog2.rest.accesslog - 8.8.8.8 5e224e7683d72eff75055199 [-] “GET api/system/cluster/nodes” Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36 200 -1
I originally want a pipeline to do all this @tmacgbay 
As you can see the number after the IP Address show as 5e224e7683d72eff75055199 .
Regex:
(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])\s(\w+.\w+)
Test completed.
Newer Graylog versions now converts names into numbered string or UUID so I had to create a pipeline.
For every name that has access to Graylog I had to create a pipeline for them.(Copy && Paste Pipeline rules) took about 15 minutes to do like 30 people.
The Pipeline below it attached to the stream called Linux: Source Access then gets the number found in that message from restaccess. It adjusted field called “graylog_gui” and places the Name for the number found.
rule "Graylog Web Access Greg"
when
has_field("graylog_gui") AND contains(to_string($message.graylog_gui), "5e224e7683d72eff75055199")
then
set_field("graylog_gui","greg.smith");
end
Now its widget time.
One problem I noticed was as the user stays logged in it creates a message like every minute in the restaccess file, so basically it keeps counting.
This is a good starter. Unfortunately its not just one number count but every 15 minutes it updates so I know whos logged on or not.
Example below, you can see the user Greg and since I missed a pipeline configured, you can see the UID, Just so happens that UUID is the Graylog Sidecar collector.
My apologies, I got lazy and didn’t finish I also going to add a Widget with just a number sorta like what you wanted. I told you it would be a little harder, but it can be done since your only dealing with one server its pretty easy.
EDIT: I just noticed that your using GL Version 3.0. if your restaccess file has names you don’t have to use a pipeline. Just create a new field with the name of the user and that should be about it.
Here is my old post.
Hope that helps