Setting Up Events and Alerts in Graylog

Alerts in centralized log management can give real-time notice of an attack, or advance notice of an attack so that you can take steps to prevent or minimize it. While alerts have always been a key part of centralized log management, they became even more important with a distributed workforce.

In this video, we are going to review how you can use Graylog to set up an event and add alerts to help pinpoint potential issues and notify your teams when those issues occur.

Use Case – Vulnerability Management Team

A real-world use case where Graylog’s event and alerting capabilities could be used is in a vulnerability management team. In this scenario, the vulnerability management team is in charge of deploying patches or mitigating controls to remediate known security issues.

The vulnerability management team is using Graylog as a centralized log management system to gather, store, and report on their vulnerability management data.

They want to set up a mechanism to provide event details when a new vulnerability is introduced into their network. They also want to alert their team as soon as those new vulnerabilities are introduced.

Since all of their log data is being captured in Graylog, they utilize the event and alerting capabilities to provide near real-time events and alerting to ensure that they are aware of any new vulnerability in their network.

Let’s take a look at how the vulnerability management team can set up an event and add an alert in Graylog. Once they get logged into Graylog, they will click on Alerts in the main menu bar at the top of the screen.

Define the Event

Now that the Alerts and Events screen is open, they will need to define the Event.

A set of dialogues boxes will be displayed that will allow them to set the Title, Description, and Priority of the event. Once those fields are entered, they will click on the Next button in the bottom right corner of the screen.

They are now on the Event Correlation tab. Here they can configure how Graylog should create this event. There are two different condition types, Filter and Aggregation or Event Correlation. Each of these options produces its own set of additional fields.

The Filter and Aggregation condition type allows them to add a filter based on a user-defined search query.  From there, they can select the stream that they want the search to include. If this field is left empty, the search query will search all streams. Next, they can define how far back in time they want the search to look and how often the search will run.

They can then create events if the search query produces results, or they can set an aggregation of results if the search reaches a user-defined threshold.

If they select the aggregation of results, there is an additional set of conditions that have to be configured.

An Aggregation can run a mathematical operation on either a numeric field value or the raw count of messages generated that match the Filter.

Aggregation can group matches by a selected field before making the comparison. For instance, if the field username is defined, then it is possible to alert on five successive failed logins by a particular username.

Once they have your criteria set, they will click on the Next button in the bottom right corner of the screen. The screen will then switch to the Fields Tab.

Creating Custom Fields

Creating Custom Fields allows the Event to populate data from the original log into the Graylog Events index. This prevents the team from having to run subsequent searches to get vital information. This can also be used to limit the amount of data sent to a Notification target. The event will be recorded to the “All Events” stream and will contain the Custom Field, as well as the result of the Aggregation that triggered the Event.

Once they have the criteria set, they will click on the Next button in the bottom right corner of the screen. the Notifications Tab will now open.

After defining the Events that are needed to trigger an Alert, it is possible to attach a Notification. By attaching a Notification to an Event or group of Events they can determine how and when the information will flow out from Graylog.

On the notifications page, they can create a new notification by filling out the notification details.

Notification Types

There are three different Notification Types and each has its own set of additional fields that must be configured.

  • Email Notification: The email alert notification can be used to send an email to the configured alert receivers when the conditions are triggered.
  • HTTP Notification: The HTTP alert notification lets you configure an endpoint that will be called when the alert is triggered.
  • Legacy Alarm Callbacks: The Script Alert Notification lets you configure a script that will be executed when the alert is triggered.

Now that the Notification settings are complete, they will click on the Next button in the bottom right corner of the screen.

Review the Alert Details

This will open the Summary tab where they can review the Alert details that were just created. If everything looks correct, they will click on the Done button in the bottom right corner of the screen to save the Event.  The Event may be viewed under Alerts>Event Definitions.

This new event and the attached alert will notify the vulnerability management team when new vulnerabilities are present in their network and will provide alerting when those events meet the conditions that the team configured. Graylog’s ability to provide user-defined events and alerts can greatly increase the vulnerability management team’s effectiveness in remediating the vulnerabilities in their network.

Thank you for watching this video on how Graylog’s event and alerting capabilities can be utilized to provide real-world solutions to complex technical issues. Happy Logging!