dlancelin
commented
5 years ago Hello,
Use the plugin graylog-plugin-aggregation-count. Put "username" in grouping fields and "source_country" in distinction fields. Configure the time range to 60 and the threshold to more than 1 so it will trigger an alert as soon as you get a different source_country within 1 hr.
I have a json log which is n graylog with source_ip, so Added the country code DB in graylog and now it says source_country field also.
Is it possible to check with this plugin that if in json "username":"bob" & "source_country":"IN" is same for every 1 hr? so that if within 1 hr same username with different source_country then it should be an alert.