Action to block IP address

Hi Team,

Wondering if graylog can send or execute commands through API to third party system? I mean as an action I can fire up APT command to my firewall and have that firewall block IP?

If yes can someone please guide me how to?

It depends on your firewall, but what I know:

  • create a stream that will contain only the messages that you want to forward to the firewall
  • create http output for that stream
  • now use processing pipelines to filter out the messages you need and route them into the first created stream

You might need to heavily modify the messages in the stream with the output to be able to act on your firewall accordingly.

hmm…man slow down :slight_smile: I am pretty novice. :wink:

Any ways let me scratch the head and see what can be done.

Thanks a lot for your quick help.

BTW other one. I have certain malicious domains and have those ready in csv format since I am taking DNS logs in graylog wondering if lookup table can translate and highlight those malicious domains from logs?

Hey @blason,

Have a look at

Simple use the lookup function in the when part of a rule. If a message matches in the CSV lookup table, then set a field like set_field(field: "maliciousDomain", value: true) or if you have data in your CSV file that you want in the message, simply do
set_fields(fields: lookup(lookup_table: "myTable", key: $message.websiteIP,))

Example (not tested!):

rule "isMaliciousDomain"
    lookup_value("myTable", $message.websiteIP) == true //Select a field that you can check here as single value return
    set_fields(fields: lookup(lookup_table: "myTable", key: $message.websiteIP));


This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.