Same user login from different gio location alerts from graylog


(Naggappan) #1

Hi I am getting logs into graylog in json format, and the source address field in json is considered by Gio-location plugin and provides proper country + city details.

Now is there any way in graylog or plugin to consider 2 fields “user” + “gio_location” and say if within 1 hr the user tried to access from 2 different location then need to raise an alert.

I am alrady using aggregator plugin but not able to implement this kind of usecases. Or please provide me some options how I can implement this kind of complex usecases.


(Jan Doberstein) #2

He @naggappan

I do not know of such a plugin - I guess you already searched the marketplace? Maybe some of the airbus plugins can help: https://github.com/airbus-cyber


(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.