Hi Jochen!
Thank you!
Did exactly that.
<https://lh3.googleusercontent.com/-kGx01MohYsc/WJHbwmto_lI/AAAAAAAAwxk/jOhOqOekfrcEr5YEMVGfGPV908Hz3fOzQCLcB/s1600/pipeline.PNG>
As I had no info how this loads the server I was trying to find an
alternative solution.
Tagging possible on NXlog as a Verbatim Configuration - see attached config
we use for testing at the moment.
This not requires any resource on the Graylog server as the tagging happens
at the clients.
Main focus is to drop unnecessary Security messages (like computer logins
which has $ at the end of the TargetUserName).
Peter Dudas
On Wednesday, 1 February 2017 12:20:27 UTC+1, Jochen Schalanda wrote:
>
> Hi Peter,
>
> On Tuesday, 31 January 2017 09:18:25 UTC+1, Peter Dudas wrote:
>>
>> So the question: is it possible to use conditional actions after the Then
>> part (like a CASE sequence)?
>>
>
> No, that's currently not possible.
>
> We plan to implement functionality in the message processing pipelines to
> support dictionary lookups, but that's not done yet.
>
> Is it possible somehow to have When/Then/Else sequence in one rule (do
>> something in case it is not true)?
>
>
> No, but you can create a second rule with inverted conditions to
> accomplish that.
>
> Cheers,
> Jochen
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/9f82e709-0eb7-48d0-b16f-f89c192f887f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
#this configuration deletes the computer account logins
Exec if ($EventID == 4624 or $EventID == 4634 or $EventID == 4678) and
($EventType == "AUDIT_SUCCESS") \
{ \
if $TargetUserName =~ /.\$/ { \
$raw_event = "Time:" + $EventTime + ", EventID:" +
$EventID + ", LogonType:" + $LogonType + ", User:" + $TargetDomainName + "\\" +
$TargetUserName + ", IPAddr:" + $IPAddress + "\n"; \
file_write("C:\\Program Files
(x86)\\nxlog\data\\security_drop.log", $raw_event);\
drop(); \
} \
}
Exec $tag = 'PCI-DSS';
#this configuration tags the PCI-DSS related messages
Exec if $EventID == 1102 {$action = 'Log Clear';}
Exec if $EventID == 4608 {$action = 'Windows Start';}
Exec if $EventID == 4609 {$action = 'Windows Shutdown';}
Exec if $EventID == 4610 {$action = 'An authentication package was
loaded by the Local Security Authority.';}
Exec if $EventID == 4611 {$action = 'A trusted logon process has
registered with the Local Security Authority.';}
Exec if $EventID == 4612 {$action = 'Internal resources allocated for
the queuing of security event messages have been exhausted, leading to the loss
of some security event messages.';}
Exec if $EventID == 4614 {$action = 'A notification package was loaded
by the Security Accounts Manager';}
Exec if $EventID == 4616 {$action = 'Server time out of synchronization
with Domain Controller';}
Exec if $EventID == 4624 {$action = 'Successful Logon (on DC)';}
Exec if $EventID == 4625 {$action = 'Failed Logon attempts – All
users';}
Exec if $EventID == 4634 {$action = 'logoff';}
Exec if $EventID == 4647 {$action = 'logoff initiated';}
Exec if $EventID == 4657 {$action = 'A registry value was
modified(System Level Object)';}
Exec if $EventID == 4660 {$action = 'Creation or deletion of files in
folders containing Cardholder Data';}
Exec if $EventID == 4663 {$action = 'All access to files containing
Cardholder Data';}
Exec if $EventID == 4670 {$action = 'Changes to access privileges or
ownership on folders containing Cardholder Data';}
Exec if $EventID == 4674 {$action = 'Privilege use (Failure only) for
the following user groups: Accounts (User, service or process) with access to
Cardholder Data';}
Exec if $EventID == 4697 {$action = 'A service was installed in the
system.';}
Exec if $EventID == 4720 {$action = 'User Account Created';}
Exec if $EventID == 4722 {$action = 'User Account Enabled';}
Exec if $EventID == 4723 {$action = 'User changed own password';}
Exec if $EventID == 4724 {$action = 'Password Reset';}
Exec if $EventID == 4725 {$action = 'Disable Account';}
Exec if $EventID == 4726 {$action = 'User Account Deleted';}
Exec if $EventID == 4727 {$action = 'Global Security Group Created';}
Exec if $EventID == 4728 {$action = 'Global Security Group Member
added';}
Exec if $EventID == 4729 {$action = 'Global Security Group Member
removed';}
Exec if $EventID == 4730 {$action = 'Global Security Group Deleted';}
Exec if $EventID == 4731 {$action = 'Local Security Group Created';}
Exec if $EventID == 4732 {$action = 'Local Security Group Member
added';}
Exec if $EventID == 4733 {$action = 'Local Security Group Member
removed';}
Exec if $EventID == 4734 {$action = 'Local Security Group Deleted';}
Exec if $EventID == 4735 {$action = 'A local security group was
changed';}
Exec if $EventID == 4737 {$action = 'A global security group was
changed.';}
Exec if $EventID == 4738 {$action = 'User Account Changed (password
set)';}
Exec if $EventID == 4740 {$action = 'Account Lockouts – All users';}
Exec if $EventID == 4741 {$action = 'A computer account was created.';}
Exec if $EventID == 4742 {$action = 'A computer account was changed.';}
Exec if $EventID == 4743 {$action = 'A computer account was deleted.';}
Exec if $EventID == 4744 {$action = 'Local Distribution group created';}
Exec if $EventID == 4745 {$action = 'Local Distribution group changed';}
Exec if $EventID == 4746 {$action = 'Local Distribution group member
added';}
Exec if $EventID == 4747 {$action = 'Local Distribution group member
removed';}
Exec if $EventID == 4748 {$action = 'Local Distribution group deleted';}
Exec if $EventID == 4749 {$action = 'Global Distribution Group
created';}
Exec if $EventID == 4750 {$action = 'Global Distribution Group
changed';}
Exec if $EventID == 4751 {$action = 'Global Distribution Group member
added';}
Exec if $EventID == 4752 {$action = 'Global Distribution Group member
removed';}
Exec if $EventID == 4753 {$action = 'Global Distribution Group
deleted';}
Exec if $EventID == 4754 {$action = 'A universal security group was
created.';}
Exec if $EventID == 4755 {$action = 'A universal security group was
changed';}
Exec if $EventID == 4756 {$action = 'A universal security group member
added';}
Exec if $EventID == 4757 {$action = 'A universal security group member
removed';}
Exec if $EventID == 4758 {$action = 'A security-enabled universal group
was deleted.';}
Exec if $EventID == 4759 {$action = 'Universal Deistribution Group
Created';}
Exec if $EventID == 4760 {$action = 'Universal Deistribution Group
Changed';}
Exec if $EventID == 4761 {$action = 'Universal Deistribution Group
Member added';}
Exec if $EventID == 4762 {$action = 'Universal Deistribution Group
Member removed';}
Exec if $EventID == 4763 {$action = 'Universal Deistribution Group
Deleted';}
Exec if $EventID == 4764 {$action = 'A group’s type was changed.';}
Exec if $EventID == 4767 {$action = 'Account Lockout Release – All
users';}
Exec if $EventID == 4768 {$action = 'Authentication Request (logged on
the DC)';}
Exec if $EventID == 4771 {$action = 'Kerberos Pre-authentication
failed';}
Exec if $EventID == 4772 {$action = 'Kerberos Authentication ticket
request failed';}
Exec if $EventID == 4776 {$action = 'Account Logon (with a local
Computer account)';}
Exec if $EventID == 4778 {$action = 'Remote desktop Session
Reconnected';}
Exec if $EventID == 4779 {$action = 'Remote desktop Session
Disconnected';}
Exec if $EventID == 4781 {$action = 'Userr account name changed';}
Exec if $EventID == 4800 {$action =
'Source:Microsoft-Windows-Security-Auditing,The workstation was locked.';}
Exec if $EventID == 4801 {$action =
'Source:Microsoft-Windows-Security-Auditing,The workstation was unlocked.';}
Exec if $EventID == 4802 {$action = 'Screen Saver invoked';}
Exec if $EventID == 4803 {$action = 'Screen Saver dismissed';}
Exec if $EventID == 5136 {$action =
'Source:Microsoft-Windows-Security-Auditing,A directory service object was
modified.';}
Exec if $EventID == 5137 {$action = 'A directory service object was
created.';}
Exec if $EventID == 5141 {$action = 'A directory service object was
deleted.';}
Exec if $EventID == 5143 {$action = 'All access to folders containing
Cardholder Data';}
Exec if $EventID == 5143 {$action = 'Changes to %SYSTEMROOT%\SYSTEM32
folder contents (System Level Object)';}
Exec if $EventID == 5144 {$action = 'network share was deleted';}
Exec if $EventID == 47239 {$action = 'Password Change';}
Exec if $EventID == 6144 {$action = 'Application of group policies to a
container';}
