Tom,
I didn’t see where you specified the firewall/routers but I have an ACL in our
Cisco router that checks outbound traffic and if any traffic matches an ACL
rule it is set to log.
This router logging is sent to our Graylog2 collector via syslog messages to
the specified IP/port combination.
The syslog entries coming from the firewall has all the information needed for
decent logging.
Based on these syslog messages, you can create your alerts on the
router/firewall inputs.
Curtis Starnes
Senior Network Administrator
Granbury ISD
600 W. Bridge St. Ste. 40
Granbury, Texas 76048
(817) 408-4104
(817) 408-4126 Fax
curtis.star...@granburyisd.org<mailto:curtis.star...@granburyisd.org>
www.granburyisd.org<http://www.granburyisd.org/>
[cid:image002.jpg@01CE9CF9.C7F9CDF0]
OPEN RECORDS NOTICE: This email and responses may be subject to Texas Open
Records laws and may be disclosed to the public upon request.
From: graylog2@googlegroups.com [mailto:graylog2@googlegroups.com] On Behalf Of
Tom Vile
Sent: Friday, August 19, 2016 3:07 PM
To: Graylog Users <graylog2@googlegroups.com>
Subject: [graylog2] Need assistance on building an alert.
I have been tasked with building out a Graylog2 cluster solution at my company
and it has been going very well but need some help with the best way to handle
a rather complex alert.
We have roughly1500 Windows computers with 4 at roughly 400 locations on their
own private networks. They are locked down so that they can only communicate
with specific IP addresses
listed in a firewall that is at each location. All the firewalls are of the
same make and model if that helps. I do not need assistance with communication
to each location as that is already working.
What I want to do is create an alert so that if one of the computers attempts
to communicate outside of the approved IP network I get an alert.
--
Example:
Location has an IP network of 192.168.1.0
PC attempts to communicate with an IP address outside of the IP range of
192.168.1.1-10
If the PC attempts to connect to an IP of say 172.17.1.1 or any other not
approved I receive an alert.
--
Generally this is not an issue but security is a top priority and there have
been times where a tech plugs in something where he/she shouldn't or an
employee does the same.
I have been successful in setting up quite a few alerts and they work great but
I want to make certain I do this in the best possible way without it being too
complex if possible.
What would be the best way of handling a condition like this?
Thanks in advance for any suggestions,
Tom
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to
graylog2+unsubscr...@googlegroups.com<mailto:graylog2+unsubscr...@googlegroups.com>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/0e029699-f35e-4c0d-83c6-8d23d0c0e426%40googlegroups.com<https://groups.google.com/d/msgid/graylog2/0e029699-f35e-4c0d-83c6-8d23d0c0e426%40googlegroups.com?utm_medium=email_source=footer>.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/DM5PR08MB2395218AFA76FC8A742795229E160%40DM5PR08MB2395.namprd08.prod.outlook.com.
For more options, visit https://groups.google.com/d/optout.