Saving variables across events in pipelines?

comp_whiz · March 12, 2017, 1:59pm

I have a use case where I need to log privileged user activity in Windows.

I have setup a stream for privileged user logons. Now I need to save the Logon ID from these events (it is extracted in a field), and log all subsequent events with the same Logon ID. The Logon ID is created and assigned randomly at logon time, and lasts until the account logs off. All account activity has that Logon ID embedded somewhere in the event.

Scenario is as follows:

Identify (done via stream) and save the Logon ID of a privileged account (How?) at logon time.
Look for all subsequent security audit events that have the Logon ID field with the value saved in Step 1. How?
Stop processing when the account logs off (Logoff event with the same Logon ID as in step 1).

All the events with that logon ID constitute a session to track automatically.

Can this be done with pipelines? I know pipelines allow searches for information within an event, but not across events. Is my understanding of pipelines correct?

derPhlipsi · March 12, 2017, 4:00pm

Hey @comp_whiz,

this is not possible yet afaik.

But it is already known and planned in a similar way, see here:
https://graylog.ideas.aha.io/ideas/GL2E-I-557

If you need it as soon as possible, you should look into writing the function yourself.

Greetings - Phil

Topic		Replies	Views
Windows Logon Session Time Monitoring Graylog Central (peer support) pipeline-rules , windows , winlogbeat , alert , timestamp	4	638	December 28, 2023
Graylog notification/streams/alerts Graylog Central (peer support)	3	39	December 20, 2024
Correlate events Graylog Central (peer support)	3	1581	March 24, 2018
Variables in pipelines Graylog Central (peer support) pipeline-rules	2	1526	July 10, 2020
Graylog Pipeline rule Graylog Central (peer support) windows , nxlog	18	1579	September 26, 2023

Saving variables across events in pipelines?

Related topics