First thanks for creating a great project. I have successfully setup graylog latest version using docker compose. I am getting two streams from my router. One is pppoe server daemon logs and second one is firewall logs of actual user traffic at port 80 and 443. Issue is pppoe server in my case accel-ppp does not create interface name based on userid so in firewall logs I am not able to see that which user went to this specific webpage. In forst stream I am getting some messages when pppoe established that contains mapping like interface this belongs to this user. So, how can I get user id from stream one into stream two. Any help will be highly appreciated
I don’t think this is possible natively within Graylog. But it’s still achievable by providing an external data store. Store the user ID mapping from the first stream; then read it when processing the second stream. Something like this:
Graylog Pipeline
↓
HTTP call
↓
Redis / Service
↓
HTTP Lookup Adapter
↓
Pipeline enrichment