Essentially I have a system that logs session info in multiple lines. The session can be active for hours or even days so the related record rows can span days as well. See ex. below
timestamp hostname /Common/WEBMAIL2016-547.app/exch:Common:beaa65eb: Client initiated SSO logon succeeded - Logon Detection match found, sso config: ......
timestamp hostname /Common/WEBMAIL2016-547.app/exch:Common:beaa65eb: Client initiated SSO form submitted for request 'POST .....
timestamp hostname /Common/WEBMAIL2016-547.app/exch:Common:beaa65eb: Username 'xxxxx@yyyyy.com'
timestamp hostname /Common/WEBMAIL2016-547.app/exch:Common:beaa65eb: Received client info - Hostname: Type: Mozilla Version: 5 Platform: Win8.1 CPU: x64 UI Mode: Full Javascript Support: 1 ActiveX Support: 0 Plugin Support: 0
timestamp hostname /Common/WEBMAIL2016-547.app/exch:Common:beaa65eb: Following rule 'fallback' from item 'SSO Credential Mapping' to ending 'Allow'
timestamp hostname /Common/WEBMAIL2016-547.app/exch:Common:beaa65eb: Access policy result: LTM+APM_Mode
timestamp hostname /Common/WEBMAIL2016-547.app/exch:Common:beaa65eb: New session from client IP 1.2.3.4 (ST=Quebec/CC=CA/C=NA) at VIP 4.3.2.1 Listener .....
timestamp hostname /Common/WEBMAIL2016-547.app/exch:Common:beaa65eb: Received User-Agent header: Mozilla...
how can I report on it so that I can see in a single dashboard for ex multiple logins from the same IP?
Good morning. I think you would create a Rule that would pick these up. And then you create a new Stream using that rule. And then you would create a Dashboard using that Stream. That would get them all in the right place.
If you wanted to group many rows over several days into 1 event/instance. I’m not sure how you would do that. Sounds like a unique field your App may need to send. So you can group on that. May require Event Correlation (Enterprise License).
Thanks for the reply. All these records are already in a new Stream. Just can’t figure out a way to report on it. Seems like this should be functionality of the dashboards, but it’s not there. I could easily get the reporting on this data using PowerBi, MS Access or just about anything else out there but seems like this functionality is missing from graylog.
I think you would then create widgets to be used on Dashboards. But not anything I have done before. Hopefully someone with more experience can comment. I would like to do this at some point. Thank you, Zach.
@jgorlicki
Not sure what your environment is, but im using Graylog 4,MonDB 4.2, and ES version 7.10.
I agree with @dickinsonzach stated,
For unique devices sending logs, I have created a separate input for them, then created some extractors (i.e. GROK, Regex). Once i have the fields needed then I made my Stream. From that stream I made my wIdget on the dashboard, here is an example from that.
