Streams / Events templates or examples

Graylog Central (peer support)
, , ,
1

Hi, I’m a new user of Graylog and new here in the community. I finally succeeded to install Graylog and send logs to it. Now, the next step is configuring streams and events/alerts. I was wondering (after googling without success) if there is some available generic templates or examples available for streams and events? Events like logging connection failed/attempt, big download from our site, … I’m sure that every Graylog users are looking for the same security issues events almost.

I’m using Graylog over Debian 11
Graylog 4.2
Elasticsearch 8.1
Mongo 5.0

Thanks for your help

2

Hello && Welcome @jcfrigon

No templates that I know of, but for configurations on Streams an events we could possibly help you with this.

A possibility there might be a plugin for this.

If your under 2 GB a day you can get a free enterprise license .

Doing this your self you would need the correct fields and this depends on what type of input your using , what kind of logs are shipped, etc…

Example of my environment User failed to logon. Windows server OS.

INPUT

Windows System Secure GELF TCP

Stream Name

Windows: User Credentials Failed logon Attempt

Stream Rules

  • full_message must contain Unknown user name or bad password.
  • EventID must match exactly 4625

Event Created

image
image1477×915 50.4 KB

Alert

image
image1798×288 30.3 KB

Dashboard

image
image1362×453 20.6 KB

Since fields will very, I have different inputs for Linux Servers, Windows, Switches, Firewall, etc…

To find out who failed to logon, each device will create a different message some are easy like windows which can use a EventID, other like switch are a little harder, meaning I had to create a unique field for failed logon attempts.
Hope that helps

1 Like
3

Thanks @gsmith for your answer. I will definitely use your example. I was also thinking that there was a lot of different inputs, that’s why I was asking because searching tendencies into the existing log I got, it’s a cleric job!!! hehehe But still, almost everyone uses windows workstation/server or Linux workstation/server, so that’s why I was asking. For equipment like firewall, switches, etc, you are right, there is a lot of variety of types, models and brands so as much different messages…
Thanks again for taking the time to answer me.

1 Like
4

Hi @gsmith, I’m trying to replicate your example. And I’m already stuck at the stream rules… :sweat_smile:

My question is : I’m able to create the conditions for “full_message must contains Unknown user name or bad password”. But how can I add the “AND” EventID must match exactly 4625?

Thanks in advance for your help!
JC

5

I don’t think you need the "Unknown username or bad password part, event 4625 is exactly that, no more, no less.

Rather than catching that in an Extractor, if you put it through pipeline rules. you can augment the information in the message. For instance, the link I gave above has a translation tables for the status/substatus code of the bad login… which you can place in a table to look up when the event happens and tell more about the bad login. There is another table for logon “type” if you are interested, that link has a “cheat sheet” you can download that has key windows security events (short list) to work with.

So with a pipeline and a rule like the one below nad it’s table lookups, you can get more detail and more presentable on your alert.

rule "bad_password_rule"
when
    // Bad Password
    to_string($message.winlog_event_id) == "4625"             
then

    let subject_0 = concat("PW-BAD: ", to_string($message.winlog_event_data_TargetUserName));
    let subject_1 = concat(subject_0, " connecting to ");
    let subject_fin = concat(subject_1, to_string($message.winlog_host_name));
    set_field("short_detail", subject_fin);
    //
    // create detail of alert
    let LogonTypeNumber = to_string($message.winlog_event_data_LogonType);  //logon type... interactive, batch, etc...
    let LogonTypeResult = lookup_value("winLogonType",LogonTypeNumber, 0);  //Lookup logon type against bre-built table
    let LogonTypeErr    = lookup_value("WinLogonErr" ,to_string($message.winlog_event_data_SubStatus), 0);  //lookup error reason in pre-built table.
    let build_mess_0    = concat("Failed Password Attempt - ",  to_string($message.winlog_event_data_TargetUserName));  //build out explanation for Error message
    let build_mess_1    = concat(build_mess_0, " attempting to log in to ");
    let build_mess_2    = concat(build_mess_1, to_string($message.winlog_event_SubjectDomainName));
    let build_mess_3    = concat(build_mess_2, "-");
    let build_mess_4    = concat(build_mess_3, to_string($message.winlog_host_name));
    let build_mess_5    = concat(build_mess_4, ". Logon Type: ");
    let build_mess_6    = concat(build_mess_5, to_string(LogonTypeResult));
    let build_mess_7    = concat(build_mess_6, ". Attempt came from: ");
    let build_mess_8    = concat(build_mess_7, to_string($message.winlog_event_data_WorkstationName));
    let build_mess_9    = concat(build_mess_8, ".  ERROR: ");
    let build_mess_fin  = concat(build_mess_9, to_string(LogonTypeErr));
    set_field("the_explanation", build_mess_fin);
    route_to_stream("security_reports");
end

and you can get a line out it similar to this:

Failed Password Attempt - greg.smith@kubernetes.com attempting to log in to DockerApp. Logon Type: NetworkClearText. Attempt came from: DockerOne. ERROR: User name is correct but the password is wrong - NTLM

1 Like
6

Hello @jcfrigon

You can just use the EventID, Those stream rules was a lab setup,. to filter out white noise because I had other services creating failed logons that were filling up the stream. Not only does service/s generate EventID 4625 but users also.

You are correct, the example above just for show.

If you using a global search you can use.

image
image1281×488 26.7 KB

If you need to add another rule on your stream , click the Green button on the right.

image
image1879×401 24.8 KB

You have two choices incase you have multiply rules.

  • A message must match all of the following rules
  • A message must match at least one of the following rules

Click save.

Depend on how in-depth you want to get @tmacgbay has Windows template for alerts here

7

Thanks @tmacgbay & @gsmith for your answers. I really appreciate! I will work hard then to define my own rules then!!!

By the way, what kind of info should I start to look (I have workstations, servers, internal web servers, firewall, etc.)?

Thanks again for all your help!

8

Hello,

These two links should help

Hope that helps

9

Hahaha You’re right, I should have start by the docs!!! :sweat_smile: The funniest things is that the first link you sent me is already open in another tab waiting that I read it…

Anyway, thanks for all your time and help!

1 Like
10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.