Update: looks like that plugin is too buggy for production. Still hoping to find an answer to this.
On Monday, August 22, 2016 at 1:19:38 PM UTC-5, bw wrote: > > I started looking through the marketplace to see if a plugin was available > and it looks like this plugin > <https://github.com/cvtienhoven/graylog-plugin-aggregates> offers the > functionality I'm looking for. About to install and test now. I will update > this thread for anyone else looking. > > On Monday, August 22, 2016 at 12:12:44 PM UTC-5, bw wrote: >> >> Hello, fellow grayloggers! >> >> I've recently been tasked with deploying graylog in my company's >> datacenter. The original intention was to monitor and alert for brute force >> attacks against the numerous WAN-facing services across our clients' >> networks. Of course, once I got my hands dirty with this incredible >> platform, we kept thinking of different applications for it (I'm sure I'm >> not alone in that respect). >> >> A week ago, shortly after deployment, we discovered a problem with our >> current implementation. We need to be alerted for failed login attempts on >> a per-host basis. >> >> Example timeline: >> 08:01 - Failed login to dc01. >> 08:02 - Failed login to dc01. >> 08:02 - Failed login to dc01. >> 08:02 - Failed login to dc01. >> 08:03 - Failed login to dc01. >> 08:03 - Successful login to dc01. >> 08:10 - Failed login to exch01. >> >> In this example, we have a stream configured to catch failed login >> attempts for Windows servers. An alert on this stream is set to trigger >> once the number of messages in this stream has exceeded 5 within 10 >> minutes. The failed login to exch01 will trigger the alert. What I would >> like to do is have graylog only alert if the message threshold has been >> reached for an individual host. Creating a separate stream for each server >> is very impractical and doesn't scale well. We've considered a separate >> stream for each client; this is better than each host, but still not >> practical at our volume and prone to false positives. >> >> I'm sure there's a way to work around this, but the functionality I'm >> needing seems easy enough from a developer's standpoint that I want to >> believe it's already possible. >> >> Any suggestions? >> > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/3cfc4bdc-bbc3-4858-aed4-9f7437e83e6e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
