Hello, fellow grayloggers! I've recently been tasked with deploying graylog in my company's datacenter. The original intention was to monitor and alert for brute force attacks against the numerous WAN-facing services across our clients' networks. Of course, once I got my hands dirty with this incredible platform, we kept thinking of different applications for it (I'm sure I'm not alone in that respect).
A week ago, shortly after deployment, we discovered a problem with our current implementation. We need to be alerted for failed login attempts on a per-host basis. Example timeline: 08:01 - Failed login to dc01. 08:02 - Failed login to dc01. 08:02 - Failed login to dc01. 08:02 - Failed login to dc01. 08:03 - Failed login to dc01. 08:03 - Successful login to dc01. 08:10 - Failed login to exch01. In this example, we have a stream configured to catch failed login attempts for Windows servers. An alert on this stream is set to trigger once the number of messages in this stream has exceeded 5 within 10 minutes. The failed login to exch01 will trigger the alert. What I would like to do is have graylog only alert if the message threshold has been reached for an individual host. Creating a separate stream for each server is very impractical and doesn't scale well. We've considered a separate stream for each client; this is better than each host, but still not practical at our volume and prone to false positives. I'm sure there's a way to work around this, but the functionality I'm needing seems easy enough from a developer's standpoint that I want to believe it's already possible. Any suggestions? -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/c1b36f4e-7e7b-4e55-8b62-c0dd275f39df%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
