Tom, I didn’t see where you specified the firewall/routers but I have an ACL in our Cisco router that checks outbound traffic and if any traffic matches an ACL rule it is set to log. This router logging is sent to our Graylog2 collector via syslog messages to the specified IP/port combination. The syslog entries coming from the firewall has all the information needed for decent logging. Based on these syslog messages, you can create your alerts on the router/firewall inputs.
Curtis Starnes Senior Network Administrator Granbury ISD 600 W. Bridge St. Ste. 40 Granbury, Texas 76048 (817) 408-4104 (817) 408-4126 Fax [email protected]<mailto:[email protected]> www.granburyisd.org<http://www.granburyisd.org/> [cid:[email protected]] OPEN RECORDS NOTICE: This email and responses may be subject to Texas Open Records laws and may be disclosed to the public upon request. From: [email protected] [mailto:[email protected]] On Behalf Of Tom Vile Sent: Friday, August 19, 2016 3:07 PM To: Graylog Users <[email protected]> Subject: [graylog2] Need assistance on building an alert. I have been tasked with building out a Graylog2 cluster solution at my company and it has been going very well but need some help with the best way to handle a rather complex alert. We have roughly1500 Windows computers with 4 at roughly 400 locations on their own private networks. They are locked down so that they can only communicate with specific IP addresses listed in a firewall that is at each location. All the firewalls are of the same make and model if that helps. I do not need assistance with communication to each location as that is already working. What I want to do is create an alert so that if one of the computers attempts to communicate outside of the approved IP network I get an alert. -------------------------------------------------------------------------------------------------------------------------------------------------- Example: Location has an IP network of 192.168.1.0 PC attempts to communicate with an IP address outside of the IP range of 192.168.1.1-10 If the PC attempts to connect to an IP of say 172.17.1.1 or any other not approved I receive an alert. -------------------------------------------------------------------------------------------------------------------------------------------------- Generally this is not an issue but security is a top priority and there have been times where a tech plugs in something where he/she shouldn't or an employee does the same. I have been successful in setting up quite a few alerts and they work great but I want to make certain I do this in the best possible way without it being too complex if possible. What would be the best way of handling a condition like this? Thanks in advance for any suggestions, Tom -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/0e029699-f35e-4c0d-83c6-8d23d0c0e426%40googlegroups.com<https://groups.google.com/d/msgid/graylog2/0e029699-f35e-4c0d-83c6-8d23d0c0e426%40googlegroups.com?utm_medium=email&utm_source=footer>. For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/DM5PR08MB2395218AFA76FC8A742795229E160%40DM5PR08MB2395.namprd08.prod.outlook.com. For more options, visit https://groups.google.com/d/optout.
