Single Login, Multple IP addresses

Hi There, I have just started using graylog and so far very impressed. I’m pulling in windows security logs and trying to create a search to find instances where a single user has logged in via more that 3 ip addresses in the last 24 hours. I have done similar in splunk however having some issues in graylog. Any ideas how this can be achieved.
Thanks very much

There are some limits to Graylog’s alerting capabilities. The default capabilities will not allow that. This plugin may assist but it seems its purpose is looking for matching fields so not sure it can be used for different ip address. https://marketplace.graylog.org/addons/0d01a899-138a-4f77-a9e7-04be4cc5e190

Hopefully in future the capabilities for alerting especially across conditions of fields over periods of time will improve but currently I am not sure whether you will be able to get this detailed. That plugin will likely be your best bet.

Thanks very much, will check out this plugin and see what i can come up with :slight_smile: I hope the capabilities increase also as it is an awesome product.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.