I want to be able to create an event definition to alert when a login to the Graylog web interface fails for example. I see there’s a graylog event index that has messages in it, but those messages don’t appear to be visible in any stream. Where can I view the events?
Do a fast search in the community. You can find some topics about the graylog login’s logs.
After you set it, you can forward it to graylog (eg. rsyslogd), and after you can set whatever you want.
But be carefull, maybe not the best idea to forward an application’s log to back the application. It can generate messages again, what you send it back… It is almost the definition of a broadcast storm ! So I suggest to forward only login logs, or filter it somehow.
For anyone else looking for help on this, here are the steps I used.
- Set up syslogging from the Graylog host server to Graylog. We had configured rsyslog previously to set up monitoring of the host system itself so for us it was obvious to just use this capture Graylog audit events also.
- Enable the log4j2 appender using the following guide or whatever guide is appropriate for your version. Everything you need is in the guide: https://docs.graylog.org/en/3.3/pages/auditlog/setup.html
- Modify your syslog configuration on the host server so that it is sending the data from the audit log configured in the prior step to Graylog as well.
- Configure your index and stream rules to capture the data into the index and stream you prefer.
- Set up event definitions and alerting as you do, but be careful not to alert on audit events or event definition creation. For the alert on web interface login failures, currently our event definition filter looks like this:
message: "object=urn:graylog:session:, status=FAILURE" AND message: "session created" AND message: "namespace=server" AND NOT message: "namespace=views" AND NOT message: "namespace=events"
The last 2 constraints are to prevent alerts firing when a qualifying message shows up in a search result in a stream for example.