Hello Everyone,
We want to see all the details of the visitor’s network details based on their IP address in our graylog dashboard. For instances -
What we already have - nginx logs looks like - using json formatting
{"@timestamp": "2021-03-03T10:14:09+01:00", "remote_addr": "88.130.155.155", "remote_user": "", "body_bytes_sent": "0", "request_time": "0.000", "status": "304", "request": "GET /assets/js/bootstrap/bootstrap.bundle.min.js HTTP/1.1", "request_method": "GET", "http_host": "test.abc.xyz", "http_referrer": "https://test.abc.xyz/", "http_x_forwarded_for": "", "scheme": "https", "upstream_addr": "", "upstream_status": "", "upstream_response_time": "", "upstream_cache_status": "", "http_user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36", "CloudFlare-IPCountry": "", "CloudFlare-Connecting-IP": "", "args": "", "request_uri": "/assets/js/bootstrap/bootstrap.bundle.min.js" }
How logs are currently displayed in Graylog - screenshot of just few fields -
We want to get a new field with visitor network details - for example -
Configurations already done are as follows -
- Created cache
- Created a data adapter - while giving db file path for ASN
- Created a lookup table
- Created a pipeline.
- Created a pipeline rule
Rule source -
rule "remote addr who is"
when
has_field("remote_addr")
then
// Do the lookup and add "Not available" to field remote_addr_whois
let lookup_result = lowercase(to_string(lookup_value("whois", $message.remote_addr)));
set_field("remote_addr_whois", lookup_result);
end
Is there anything missing or incorrect with the approach?