Hey All,
Graylog newbie here, but I’m learning. I am looking for a suggestion on how to process logs from an MFA system. I have the logs shipping via FileBeat beautifully and a handful of extractors, however what I’m getting are about 40 logs per ‘Session’.
The end result I’m looking for is basically a Who, What, Why and When.
Example:
MFA: [Session: ABCDE] Began transaction Lock`
MFA: [Session: ABCDE] User is valid
MFA: [Session: ABCDE] Username: BlueteamNinja
MFA: [Session: ABCDE] AD Groups are: blah blah blah
MFA: [Session: ABCDE] LDAP password OK
MFA: [Session: ABCDE] Sent mobile Challenge
MFA: [Session: ABCDE] Challenge failed, Sending Fallback
MFA: [Session: ABCDE] SMS Token OK
MFA: [Session: ABCDE] Radius Authorized
`
How could I summarize this as something like (purely an example) as a single message: ??
Session: ABCDE
User: BlueteamNinja
Login Success: LDAP
MFA Failed: Mobile
MFA Success: SMS