Value comparision from different messages

Graylog Central (peer support)
1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
Hi, i’m a new user of Graylog, and I would compare values wich appear multiple times in different messages and create an alert when a value of a field is equal to the one of the same field from a different message.
For example, I centralize AD connection logs, and I want to be able to know when a user logs in with different IP address at the same time. So, I wan’t to compare the IP addresses.

I tried to use pipelines but I don’t really know how I can compare the value from another message.
I know it’s wrong, but here is my rule:
rule “test”

when

to_string($message.AdresseIP) == to_string($message.AdresseIP)

then

set_field("double","true");

end

If you know how I can do that, you may help me a lot!!
Thanks

2

Hello,

I might be able to help.
What I do know is that you can compare fields . I’m not 100% sure you can do this in the same message string.

Let’s say you have this log

<189>date=2022-04-14 time=17:05:46 devname=“011-011” devid=“FBT60D464646462014” logid=“0001000014” type=“traffic” subtype=“local” level=“notice” vd=“LAB” eventtime=1649973946 srcip=89.248.165.81 srcport=56834 srcintf=“222” srcintfrole=“lan” dstip=192.168.1.100 dstport=35770 dstintf=“LAB” dstintfrole=“undefined” sessionid=259146975 proto=6 action=“deny” policyid=2 policytype=“local-in-policy” service=“tcp” dstcountry=“United States” srccountry=“Netherlands” trandisp=“noop” app=“tcp/35770” duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat=“unscanned” crscore=10 craction=262144 crlevel=“medium”

I would extract that IP ADDRESS from that message and create a unique field.

Perhaps something like this.

image
image1388×617 37.8 KB

That way you have a field srcip and compare it to a device. So basically if that field changes from that device , Send alert.

Or

It’s better to first check, if field exists:

rule "test"
when
  has_field("srcip") and contains(to_string($message.srcip), == "192.168.1.2")
then
set_field("double","true");
end

Here is some information that could help.

https://graylog.zammad.com/help/en-us/15-pipeline-rule-samples

3

Thank you for your help but I resolved my problem with an aggregation and the card() function. So I have the number of different IP addresses related to one user.

1 Like
4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.