I started looking through the marketplace to see if a plugin was available and it looks like this plugin <https://github.com/cvtienhoven/graylog-plugin-aggregates> offers the functionality I'm looking for. About to install and test now. I will update this thread for anyone else looking.
On Monday, August 22, 2016 at 12:12:44 PM UTC-5, bw wrote: > > Hello, fellow grayloggers! > > I've recently been tasked with deploying graylog in my company's > datacenter. The original intention was to monitor and alert for brute force > attacks against the numerous WAN-facing services across our clients' > networks. Of course, once I got my hands dirty with this incredible > platform, we kept thinking of different applications for it (I'm sure I'm > not alone in that respect). > > A week ago, shortly after deployment, we discovered a problem with our > current implementation. We need to be alerted for failed login attempts on > a per-host basis. > > Example timeline: > 08:01 - Failed login to dc01. > 08:02 - Failed login to dc01. > 08:02 - Failed login to dc01. > 08:02 - Failed login to dc01. > 08:03 - Failed login to dc01. > 08:03 - Successful login to dc01. > 08:10 - Failed login to exch01. > > In this example, we have a stream configured to catch failed login > attempts for Windows servers. An alert on this stream is set to trigger > once the number of messages in this stream has exceeded 5 within 10 > minutes. The failed login to exch01 will trigger the alert. What I would > like to do is have graylog only alert if the message threshold has been > reached for an individual host. Creating a separate stream for each server > is very impractical and doesn't scale well. We've considered a separate > stream for each client; this is better than each host, but still not > practical at our volume and prone to false positives. > > I'm sure there's a way to work around this, but the functionality I'm > needing seems easy enough from a developer's standpoint that I want to > believe it's already possible. > > Any suggestions? > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/6295a58e-fd75-4f8f-981b-ee72e520006c%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
