anthodu57
(Anthony Breda)
April 13, 2018, 9:20am
1
Hy,
I wish make this pipeline’s rule:
rule “IPClass”
when
has_field(“IPsource”)
then
//xxx.xxx.xxx.xxx
let splitIP=split(“[.]”,to_string($message.IPsource));
let octet1=splitIP[0];
let octet2=splitIP[1];
let octet3=splitIP[2];
let locationSite = “”;
when
octet1 == xxx && octet2 == xxx && octet3 == xxx
then
locationSite=“Site1”;
end
set_field("LocationSite",locationSite);
end
But, Graylog don’t would like this:
“extraneous input ‘when’ expecting {‘;’, End, Let, Identifier}”
Best regard,
Anthony,
jochen
(Jochen)
April 13, 2018, 9:37am
2
What are you trying to achieve ultimately?
Usually, you would use two rules in consecutive stages for what I think you’re trying to do.
PS: Please format your posts for better readability: https://help.github.com/articles/creating-and-highlighting-code-blocks/
jan
(Jan Doberstein)
April 13, 2018, 11:02am
3
you can only have one when / then block in each rule - so your rule would need three rules.
anthodu57
(Anthony Breda)
April 13, 2018, 12:13pm
4
I need sort the IP according to their site.
I doesn’t can use three rules because graylog need a test when I use $ message.IPsource.
Best regard,
Anthony,
jochen
(Jochen)
April 13, 2018, 12:36pm
5
Maybe using to_ip()
and cidr_match()
would be simpler?
anthodu57
(Anthony Breda)
April 13, 2018, 12:40pm
6
I don’t know how cidr_match() work (Checks whether the given ip address object matches the cidr pattern) but it would always require an additional condition.
jochen
(Jochen)
April 13, 2018, 1:08pm
7
Please elaborate on that.
anthodu57
(Anthony Breda)
April 16, 2018, 6:16am
8
Hi,
If I use that, I need add a condition for check if my field exist.
Graylog’s error:
“mismatched input ‘let’ expecting When”
Best regard,
jochen
(Jochen)
April 16, 2018, 7:29am
9
jochen
(Jochen)
April 16, 2018, 8:49am
11
anthodu57:
So, how to do that?
What exactly do you mean?
anthodu57
(Anthony Breda)
April 16, 2018, 8:56am
12
I would like attribute a IP range to a differents sites in my company.
Best regard,
jochen
(Jochen)
April 16, 2018, 9:06am
13
As described before, you can use to_ip()
and cidr_match()
to check if an IP address is in a given CIDR block .
rule "example-rule"
when
has_field("ip_address") &&
cidr_match("10.0.0.0/8", to_ip($message.ip_address))
then
set_field("location_site", "Test Location");
end
1 Like
anthodu57
(Anthony Breda)
April 16, 2018, 12:13pm
14
Thank you!!
It’s possible use the Lookup table?
Best regard,
jochen
(Jochen)
April 16, 2018, 12:31pm
15
No, that’s not possible if you want to store the CIDR blocks in a lookup source, also see: Mapping IPs to subnets
If the number of IP addresses is fairly limited, you could store them (and not the CIDR notation) in a CSV file and create a lookup table from it.
anthodu57
(Anthony Breda)
April 17, 2018, 7:25am
16
Thank you for the two answers. Finally I use the Lookup table but the other answer it’s good.
Best regard,
Anthony,
system
(system)
Closed
May 1, 2018, 7:35am
17
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.