DalJeanis,
So re-reading your response, sounds like the logs would need to have a common field of some sort. Here is the raw log:
2017-08-22 00:01:03.624; [00000C3C] {125} username has successfully authenticated via Password
2017-08-22 00:01:03.610; [00000C3C] {121} username tries Password authentication
2017-08-22 00:01:03.376; [00000C3C] {110} enforcing anti-hammering delay [0.20 secs]
2017-08-22 00:01:03.288; [00000C3C] {120} username requests Password authentication
2017-08-22 00:01:02.207; [000009A8] {000} * x.x.x.x -> 1 active connections
2017-08-22 00:01:02.207; [000009A8] {109} List of currently connected IP and count of per-IP connections:
2017-08-22 00:01:02.113; [000009A8] {112} Optimizing socket configuration for better performance
2017-08-22 00:01:02.113; [000009A8] {111} Incoming connection request from [x.x.x.x]
so using the above logs, I was trying to see if I could possible correlate category={000} with category={125} maybe by time. So if the search see's category={000} and within say 5secs later if category={125} is listed, table source_ip(from category={000}) username(from category={125}).
... View more