Hello,
I am new to Graylog and I try to normalize hostnames from different sources (Syslog, SNMP-Traps, Filebeat). Some Devices send only hostname without domain, so I want to add domain in a pipeline rule when the hostname does not contain a dot.
But this does not work, it seems that the rule fires for every hostname even if the field x_host_input contains a . THat leads to entries like hostname.mydomain.local.mydomain.local or 123.123.123.123.mydomain.local. What I am doing wrong?
rule "hostname - add domain"
when
!is_ip($message.x_host_input) AND
!contains(to_string($message.x_host_input), ".")
then
let result = concat(to_string($message.x_host_input), ".mydomain.local");
set_field("x_host_input", result);
end
In a step before, the field x_host_input is filled with the ip or hostname (source or beats_agent_hostname based on source). A stage later a dns lookup or reverse lookup is done and the name / ip stored to another field. Those rules are working fine.
One thing I will say is that you should make sure that messages you want the append rule to be run against donât match the âwhenâ condition of your bypass rule.
From looking at what youâve shown, something like the below should be sufficientâŠ
rule "Stage 2 Bypass"
when
contains(to_string($message.x_host_input),".mydomain.local")
then
end