Is there any way to show 2 logs (different servers) together if the field response is the same?
Example: IP field. I want it to show everything that the result of the IP field is equal.
I would like you to join the 2 logs. Whenever you see the value of the IP field is equal.
Filter: source:(âIP_MXâ OR HOST_SERVER) AND exists:IP AND message:(âclient_vpn_connectâ OR âAccepted passwordâ)
Log MX: IP_MX MX_NAME events client_vpn_connect user id âusernameâ local ip xxx.xxx.xxx.xxx connected from xxx.xxx.xxx.xxx
Log server: Date HOST_SERVER sshd[xxxx]: Accepted password for user from xxx.xxx.xxx.xxx port xxxxx ssh2
I would like to get it when the person accesses the vpn and connects to the server.
Meaning you want an Alert when two messages from separate sources match with IP or do you want to look up all the messages related to the IP and show the results? I suspect the first one, but just checking⊠because the first one is more difficult.
1 Like
Thatâs right, the first option.
I want it to show the log when the IP of mx log and IP of server log is the same.
The only way I can think of doing that within Graylog is via the correlation engine. You need to have a Operations License to use it though. Licenses are free if you can keep your data within 2GB per day.
1 Like
Doesnât have any filter that reads the field and checks the value if itâs equal?
For the most part, Graylog interacts one message at a time⊠though perhaps semi-parallel for speed⊠once you get beyond the OpenSource version you start getting tools for what you are looking for. I suppose you could build a dashboard that exposes IP cardinality but it would not give you the Alerts you are looking for.
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.