Same user login from different gio location alerts from graylog

naggappan · January 4, 2019, 8:32am

Hi I am getting logs into graylog in json format, and the source address field in json is considered by Gio-location plugin and provides proper country + city details.

Now is there any way in graylog or plugin to consider 2 fields “user” + “gio_location” and say if within 1 hr the user tried to access from 2 different location then need to raise an alert.

I am alrady using aggregator plugin but not able to implement this kind of usecases. Or please provide me some options how I can implement this kind of complex usecases.

jan · January 7, 2019, 9:18am

He @naggappan

I do not know of such a plugin - I guess you already searched the marketplace? Maybe some of the airbus plugins can help: https://github.com/airbus-cyber

system · January 21, 2019, 9:19am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Alert with a grouped field (user) and a further grouping (country) which is counted Graylog Central (peer support)	2	678	April 2, 2021
Single Login, Multple IP addresses Graylog Central (peer support)	3	658	October 22, 2018
Alerting based on event correlation with multiple lines Graylog Central (peer support)	2	657	November 4, 2019
Event pulling fields from multiple sources? Graylog Tech Challenges	4	694	July 28, 2021
Alerting for Duplicates in log messages Graylog Central (peer support)	4	586	April 14, 2020

Same user login from different gio location alerts from graylog

Related Topics