Contains in rule when clause - not working

Graylog Central (peer support)
, ,
1

Hello,
I am new to Graylog and I try to normalize hostnames from different sources (Syslog, SNMP-Traps, Filebeat). Some Devices send only hostname without domain, so I want to add domain in a pipeline rule when the hostname does not contain a dot.
But this does not work, it seems that the rule fires for every hostname even if the field x_host_input contains a . THat leads to entries like hostname.mydomain.local.mydomain.local or 123.123.123.123.mydomain.local. What I am doing wrong?

rule "hostname - add domain"
when
    !is_ip($message.x_host_input) AND
    !contains(to_string($message.x_host_input), ".")
then
    let result = concat(to_string($message.x_host_input), ".mydomain.local");
    set_field("x_host_input", result);
end

In a step before, the field x_host_input is filled with the ip or hostname (source or beats_agent_hostname based on source). A stage later a dns lookup or reverse lookup is done and the name / ip stored to another field. Those rules are working fine.

Regards
Hans

2

How have you configured your pipeline which this rule is in?

3

Hello Jesse,
there are two stages.

Stage 1

  • copy source field content to x_host_input if input is syslog or snmp
  • copy filebeat_host_hostname field content to x_host_input if input is filebeat
  • copy winlogbeat_host_hostname field content to x_host_input if input is winlogbeat
  • append domain if x_host_input does not contain . - this rule runs always, even if hostname does not contain a dot

Stage 2

  • run dns resolution (lookup table) for x_host_input if is string and store into x_host_name
  • run reverse dns resolution (lookup table) for x_host_input if is ip and store into x_host_ip
4

I would move the append rule into Stage 2 since it’s relying on a field created by another rule in Stage 1.

1 Like
5

Hi Jesse,

I configured as follows and it seems to work. Is the always true rule (in Stage 2) ok or a dirty hack? As I am new to GL, I still have to learn


Thank you!

Stage 1

  • copy source field content to x_host_input if input is syslog or snmp
  • copy filebeat_host_hostname field content to x_host_input if input is filebeat
  • copy winlogbeat_host_hostname field content to x_host_input if input is winlogbeat

Stage 2

  • append domain if x_host_input does not contain . - this rule runs always, even if hostname does not contain a dot
  • dummy rule “when true then end” to let every message into the next stage

Stage 3

  • run dns resolution (lookup table) for x_host_input if is string and store into x_host_name
  • run reverse dns resolution (lookup table) for x_host_input if is ip and store into x_host_ip
6

I have some bypass rules in some of my stages.

One thing I will say is that you should make sure that messages you want the append rule to be run against don’t match the ‘when’ condition of your bypass rule.

From looking at what you’ve shown, something like the below should be sufficient


rule "Stage 2 Bypass"
when
    contains(to_string($message.x_host_input),".mydomain.local")
then
end
1 Like
7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.