Sort unique logs to find users that haven't logged in for a long time

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
I have a running graylog and the logs are coming in with a running extractor for the username.
Now what I want to do is, to find all users, that have not been logged in for more than 90 days. Is it possible to search for these users? So something like show all users in logs older than 90 days, but do not show them if the username is shown in a log newer 90 days.

2. Describe your environment:

  • OS Information: Oracle Linux

  • Package Version: Graylog 5.0.8+4c22532 (Eclipse Adoptium 17.0.6 on Linux 5.4.17-2136.300.7.el8uek.x86_64)

  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?
I can search for users, because I’ve got the key to do so, but unique that are older than 90 days are a problem right now.

4. How can the community help?
Maybe someone got something like this already done, because I don’t know how to start here…

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

I’m trying to think of an easy way to do this in graylog. My thought process would be to make 2 lists, one of users contained in your search query result (e.g. logged in in past X day), and a second list of ALL users. Using something like a text compare tool or excel and vlookups these 2 lists can be cross checked. Its not exactly elegant though and requires external tools.

For your exact example, i wouldn’t use graylog personally. Instead i would craft the LDAP query to search (e.g. lastLogontimeStamp) for what you are looking for, such as last login older than a certain date.

Hope that helps.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.