Hi everyone, I'm a new user to graylog and it looks great. I started looking becasue I wanted to feed my samba audit logs into a central location. In addition to this I want a way to be able to "watch" my samba logs for suspicious activity. Ransomware has been hitting everyone, luckily we have a very solid backup hourly backup routine using zfs but restoring is never nice to do. Often the AV companies are days behind an outbreak so we started using scripts to watch the audit logs for the usual suspect names they use but even that changes regularly What I was hoping to do with graylog is "watch" my logs and alert if for eg. x number of pwrites occur from the same ip in n seconds.
Can this be done? if so any tips or hints to get me started? -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/75280096-ff58-42bb-92ac-86c0b5889ce5%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.