Looking for Suggestions: Multiline Log w/SessionID

Hey All,
Graylog newbie here, but I’m learning. I am looking for a suggestion on how to process logs from an MFA system. I have the logs shipping via FileBeat beautifully and a handful of extractors, however what I’m getting are about 40 logs per ‘Session’.

The end result I’m looking for is basically a Who, What, Why and When.

MFA: [Session: ABCDE] Began transaction Lock`
MFA: [Session: ABCDE] User is valid
MFA: [Session: ABCDE] Username: BlueteamNinja
MFA: [Session: ABCDE] AD Groups are: blah blah blah
MFA: [Session: ABCDE] LDAP password OK
MFA: [Session: ABCDE] Sent mobile Challenge
MFA: [Session: ABCDE] Challenge failed, Sending Fallback
MFA: [Session: ABCDE] SMS Token OK
MFA: [Session: ABCDE] Radius Authorized


How could I summarize this as something like (purely an example) as a single message: ??

Session: ABCDE
User: BlueteamNinja
Login Success: LDAP
MFA Failed: Mobile
MFA Success: SMS

I would start here: https://www.elastic.co/guide/en/beats/filebeat/master/multiline-examples.html

Post up your results for others looking to solve the problem…

Going just a hair further - the major limitation is that the events must be in order. Given this is an MFA system, its being hammered constantly, so the session IDs are rarely complete in order.

However, this looks very promising and if I get it working - I’ll post back my solution:
Plugin: Aggregate Filters

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.