Saving variables across events in pipelines?


#1

I have a use case where I need to log privileged user activity in Windows.

I have setup a stream for privileged user logons. Now I need to save the Logon ID from these events (it is extracted in a field), and log all subsequent events with the same Logon ID. The Logon ID is created and assigned randomly at logon time, and lasts until the account logs off. All account activity has that Logon ID embedded somewhere in the event.

Scenario is as follows:

  1. Identify (done via stream) and save the Logon ID of a privileged account (How?) at logon time.
  2. Look for all subsequent security audit events that have the Logon ID field with the value saved in Step 1. How?
  3. Stop processing when the account logs off (Logoff event with the same Logon ID as in step 1).

All the events with that logon ID constitute a session to track automatically.

Can this be done with pipelines? I know pipelines allow searches for information within an event, but not across events. Is my understanding of pipelines correct?


(Philipp Ruland) #2

Hey @comp_whiz,

this is not possible yet afaik.

But it is already known and planned in a similar way, see here:
https://graylog.ideas.aha.io/ideas/GL2E-I-557
https://github.com/Graylog2/graylog-plugin-pipeline-processor/issues/27
https://github.com/Graylog2/graylog-plugin-pipeline-processor/issues/151

If you need it as soon as possible, you should look into writing the function yourself.

Greetings - Phil