I am new to Graylog and I would like to use it with our firewall, specially when somebody wants to access blocked sites.
The firewall is producing 2 messages
2017-09-27 14:01:48.000 balance-73ee
balance-73ee URL Logging: SSLCERT=www.gamingclub.com SRC=192.168.1.123 DST=185.31.222.155 SNATIP=37.71.232.194 SRCMAC=xx:xx:xx:xx:xx:xx SPT=53358 DPT=443
2017-09-27 14:01:48.000 balance-73ee
balance-73ee URL Logging: Domain <www.gamingclub.com> has been blocked by content filter category <ads>
I would like to be able to have an alert that somebody (IP + MAC address) tried to acces the site and has been blocked due to category
But these are in 2 differents messages. Is that possible to make this extract ?
Hi,
i did something like that with linux kernel oom-killer.
You can create an alert with ‘field content’ condition on ‘message’ type.
Then use value like ‘has been blocked by content filter category’ and set ‘backlog’ to 2.
Doing so you should receive alert with both messages.
Thank very much for this answer.
Would it be possible to extract, so I send an email saying that
"URL from MAC Address and IP was blocked due to the category "
I don’t think so.
The problem is that those messages are 2 separate events.
Sure you can create an extractor to indexing keyword from the first message, but the alert you are looking for will match the condition of the second message.
I don’t know if with the GL pipelines you can “merge” events, but i think the better options you have is to use ‘backlog’ 2 as said before to send email with both messages.
i’m sorry
Btw wait to listen from any of the @Graylog_staff, i’m only a simple user
Message processing is basically stateless, so every message is being processed on its own and cannot access attributes from other messages.
This being said, there’s the SLookup plugin which enables you to fetch other messages in a pipeline rule (with all the disadvantages and implications for the processing performance):
