Scheduling Events

Graylog Central
#1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
Hi, how should I schedule the alerts in graylog. I have configured telegram notifications for vpn events, but I want to get notifications after 6 o’clock. Thanks!

2. Describe your environment: centralized graylog server for collecting logs from devices.

  • OS Information: Centos 7

  • Package Version:4.2.9

#2

Hello && Welcome @turb0snail

Depending how you setup the Event Definition and when. This can be achieved.

#3

Hi gsmith, Thanks for your response.
Could you please send me guide of Event Definition configuration?
Thanks.

#4

Hello

You can look here.

Hope that helps

1 Like
#5

Hello gsmith I looked at to this alerting example there was no information about scheduling events. I checked every detail but nothing worked.
Could you please send something related about scheduling after 6 o’clock. We want to see some specific logins through vpn after work in order to increase security that is why this is urgent and I need guidance for accomplishing this task.
I appreciate your attention.

#6

Hello,

I probably should have been more clear, my apologies. There is not a setting in Event Definition.

This can be done through a pipeline. As shown here.

#7

Hi,
Thanks for sharing this wonderful pipeline with me.
I have some problems with changing values for my organization.
Could you please tell me which fields should I change for telegram notifications

#8

With what should I replace trigger_workhours_off field in pipeline?

#9

I have configured pipeline like given below. Unfortunately, it is not working additionaly I changed the order of Message Processors Configuration(
1 Message Filter Chain
2 Pipeline Processor
3 GeoIP Resolver
4 Illuminate Processor
5 AWS Instance Name Lookup)

My main goal right now is that => I want to collect logs from All Messages Stream via pipeline and send them to another stream that I have configured. Then I would like to capture information (I am going to choose stream in event definitions) from newly created stream and send that data to my telegram channel. As I mentioned in pipeline config I would like to see VPN Logins after Business Hours.

rule “Between 6 PM and 6 AM”
when
( to_long(to_date($message.timestamp, “Asia/Baku”).hourOfDay) >= 0 AND to_long(to_date($message.timestamp, “Asia/Baku”).hourOfDay) <= 6 ) OR
( to_long(to_date($message.timestamp, “Asia/Baku”).hourOfDay) >= 18 AND to_long(to_date($message.timestamp, “Asia/Baku”).hourOfDay) <= 0 )
then
has_field(“FTNTFGTxauthuser”);
has_field(“FTNTFGTxauthgroup”);
has_field(“FTNTFGTvpntunnel”);
has_field(“FTNTFGTtunneltype”);
has_field(“FTNTFGTtunnelip”);

route_to_stream(id:“62beab99790aa16376a3a76e”)

end

If it is possible lead me through proper guidance in order to achieve this goal.

#10

Hello,

The pipeline is one part, there are other component that need to be configured to get the desired outcome. I’ll try to explain all the steps for you. This was made for a windows environment and I’m using GELF TCP/TLS input so my fields will be created for me. This probably could be done just a pipeline but I haven’t upgrade this procedure yet. Its been work for a couple years now and I’m lazy :laughing: The best advice would be create a stream and dump what you need in there for this alert. your probably going to have to adjust this for your setup. When the pipeline notices a message arriving in this stream it checks the date/time and either creates a field called trigger_workhours_off which depends on the settings in the pipeline. That’s all it does is to check if it "true " or “false”, if true create a field. Hence why I have three (3) rules on my stream.

Example:

Stream: This is where the pipeline will be attached. I have created three (3) rule to filter out the white noise using the following fields( Logotype, EventID, full_message". I also have it set for " A message must match all of the following rules" So when a message comes in this stream I know its a user who logged in this environment.

*

ima*ge
ima*ge887×367 21.1 KB

Pipeline: Attach the pipeline to the stream called “Windows: User Successful Logon Local”.
The following shows the stages.

image
image1717×761 49 KB

NOTE: Your Message Processors Configuration is correct.

So when that is operating correctly , its time to add the alert.

Event Definition:
Ok to sum it up from here, 1 Stream created to dump users logon. Then I routed those messages to a different stream (#2) if the rule matches i.e. FIELD: trigger_workhours_off == True

image
image1872×191 18.8 KB

because this will control how I set up my alerts.
Here is the summary of that last stream that will sent an alert for either user logon after hours or on the weekend. I remind you that all this will have to be adjusted to your environment. This may not be a copy & paste situation.
:

image
image1870×850 58.8 KB

Results: This Alert fired because a user logon on a Sunday.

Stream:

image
image1870×560 37 KB

Alerts & Events:

image
image1780×528 43.8 KB

Email Notification:

image
image958×686 15.8 KB

Hope this will help understand how it works, I also know this can be adjusted to fit your setup better.

1 Like
#11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.