Matching fields across logs without events

Graylog Central (peer support)
1

Is there any way to match fields across logs without events? Let’s say that I have an email in office 365 called john@example.com, and his username is john.cerra I have that same user in an endpoint, and in an anti-phishing solution with the first email. Is there a way to match those fields so that I can just click on a user and it’ll show me all corresponding logs from that user across everything that is correlated?

2

Sounds kind of like you want Parameters… That is an enterprise only feature but if you can keep your logs below 5GB per day you can apply for a free license

3

Thanks, this helps but it’s my understanding that parameters allows queries to be created which are all using the same field and to be able to modify it as a variable name. But would it be possible to say that john@example.com in one query is the same person as johnAccounting in another set? And to tell graylog (not a specific query but add a config parameter) that this field should match this other field in this other log, and it could be any of the user’s nicknames? With parameters, you wouldn’t really be able to add different users for the same person, and you would have to create specific queries and save them for different uses.

For example:
Your user is tmacgbay, and your email might be timothy.mac@corp.com, and I want to see all of your logs quickly, I can just search for your user and your user is an entity, and it’ll search in my AD logs for tmacgbay for user and at the same time for timothy.mac@corp.com in my google worskpace under email.

Does that make sense?

I am using the < 5 GB enterprise license.

4

I see what you are saying. You would have to build a multi-value table for Graylog to reference for something like that. Unfortunately, Graylog hasn’t perfected a multi-value table yet… but here is a workaround you can find here. I found that just recently for somewhat similar reasons…

5

Hello
Adding on to what @tmacgbay stated. You could also use an regex extractor to create a new field for email account/s in messages. If that’s what your concern is.

Maybe something like this.

([a-zA-Z0-9._-]+@([a-zA-Z0-9_-]+\.)+[a-zA-Z0-9_-]+)

https://www.regular-expressions.info/email.html

So if you have a field called EMAIL you can match it with the field UserName. in a widget.

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.