The quick answer is yes. The longer answer is Graylog won't do it out of the box but will provide you with all the tools you need to do it. Ultimately, if you can send your samba logs to a graylog server using rsyslog or syslog-ng then you are already half way there. Then the rest of the solution is to extract the data into the appropriate fields, whcih will then allow you to create dashboards and alerts etc.
On Thursday, January 12, 2017 at 10:18:41 AM UTC-6, Stephen Horvath wrote: > > Hi everyone, I'm a new user to graylog and it looks great. > I started looking becasue I wanted to feed my samba audit logs into a > central location. > In addition to this I want a way to be able to "watch" my samba logs for > suspicious activity. > Ransomware has been hitting everyone, luckily we have a very solid backup > hourly backup routine using zfs but restoring is never nice to do. > Often the AV companies are days behind an outbreak so we started using > scripts to watch the audit logs for the usual suspect names they use but > even that changes regularly > What I was hoping to do with graylog is "watch" my logs and alert if for > eg. > x number of pwrites occur from the same ip in n seconds. > > Can this be done? if so any tips or hints to get me started? > > > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/1a6753d0-db62-4605-b569-a45f312a06e3%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
