First, some background on my situation:
My work setup uses a network asset discovery tool call lansweeper to keep an active inventory of all machines and systems on our network. The way it does this is by ssh-ing to the machine and executing several commands as root to identify hardware, installed packages, etc. (e.g. lspci, dmidecode, things of that nature). It’s worked great for us to maintain an active inventory of our stystems and installed software.
The problem, however, is that the messages received by Graylog from the lansweeper agent running commands with sudo are indistinguishable from the messages Graylog receives when any other user runs commands with sudo. What we want to use Graylog for is to monitor all administrative actions on our systems, but we don’t want to mix the messages from lansweeper’s tasks with actions performed by human users.
I’ve found that lansweeper’s commands are executed within five seconds of the agent logging into the system. I would like to separate the messages from lansweeper’s commands from all other messages of sudo usage, and I think the best way to do this would be to process the commands that use sudo from an input within five seconds after the timestamp of the message from the lansweeper agent logging into the system.
Is this something that is possible with Graylog? I’ve looked through the pipelines documentation with the aim of processing messages and sending them to a separate stream if they use sudo within a set time period after the message. I just haven’t found a way of processing past messages.