Search and action to an API


Description of your problem
I want to search in graylog for IPs that are trying to login on several servers with different usernames, if that happens X times in Y minutes I want to get an API call (an action) to our Firewall (OPNsense) and want to block that IP. (similar to fail2ban). My question is, is that possible and if so, how?

Environmental information

Operating system information

  • Debian

Package versions

  • Graylog 4.1.4
  • MongoDB 4.4.8
  • Elasticsearch 7.10.2

Hey there. So the existing HTTP notification callback only does a post to a 3rd party application. You’d probably have to use a script notification to make a post to the OPNsense endpoint.

thanks for that! and that is very sad, will it be possible in the feature?
beside from that, are the other things possible?

Hmmmm, I’m not quite sure what you mean. The HTTP callback feature works if you need to just send a POST, and the script notification would be exactly what you need, though you’d have to have an enterprise license for it.

As for a feature request, what would you have in mind? If you’ve got a good idea of what you’d like to see and how you’d like to see it implemented, I’d recommend opening a feature request so that our product and development teams can evaluate it.

1 Like

sorry for my bad english…

if it possible to get a mail (or whatever) if an IP address try to login on several servers/websites with different usernames (in a specific timerange and X tries), if yes how should look the event defenition and how to get just the IP in the mail?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.