Description of your problem
I want to search in graylog for IPs that are trying to login on several servers with different usernames, if that happens X times in Y minutes I want to get an API call (an action) to our Firewall (OPNsense) and want to block that IP. (similar to fail2ban). My question is, is that possible and if so, how?
Hey there. So the existing HTTP notification callback only does a post to a 3rd party application. You’d probably have to use a script notification to make a post to the OPNsense endpoint.
Hmmmm, I’m not quite sure what you mean. The HTTP callback feature works if you need to just send a POST, and the script notification would be exactly what you need, though you’d have to have an enterprise license for it.
As for a feature request, what would you have in mind? If you’ve got a good idea of what you’d like to see and how you’d like to see it implemented, I’d recommend opening a feature request so that our product and development teams can evaluate it.
if it possible to get a mail (or whatever) if an IP address try to login on several servers/websites with different usernames (in a specific timerange and X tries), if yes how should look the event defenition and how to get just the IP in the mail?