I’ve been asked to create complex rules on the Graylog we already use, but I can’t find any starting point.
We use Opentext to store all our internal documentation. This Opentext is installed over IIS. We already collect IIS logs in Graylog and apply few basic rules.
We would like to trigger an alert when a user has done more than 10 of an action in the last 30 minutes.
(Like if an ip (field “c-ip”) has 10 (" objAction" “edit”) in a stream in the last 30 minutes.
I have used a stream selecting only the messages with the field “objAction=Edit” and a I have tried to do a rule source in a pipeline to count.
My idea is this one: if we receive a message, we get the ip of the message and we count all the messages containing this IP in the last 30 minutes (the stream only contains the last 30 minutes messages so this is a problem solved).
In the “exemples” on the right telling you all the commands you can do while writting a rule, I can’t found anything to count a string in the stream.
If someone have an answer, or specific documentation, it will help me a lot
From everything I’ve learned, pipeline rules can only interact with a single message and can only interact with messages as they are being ingested into Graylog. You can’t use them the look across multiple messages or interact with historical data.
If anyone jumps in and says I’m wrong I’ll be glad to hear as it’ll greatly expand the capabilities I thought existed, but I do not believe it to be possible.