Drop All messags except matching and help on slookup function

blason · March 17, 2019, 1:46pm

Hi,

I need to achieve below and appreciate communities help.

I have messages coming in from firewall in stream assume STREAM-FW and I am only interested when the field has “sourceUserName” else all the messages should be dropped. [I can drop the messages which matches certain but how do I drop everything except…]

This first requirement now on the same front; I have another stream STREAM-DNS where I am parsing those and has field “clientipaddr”. Now, how I need to find out the username associated with clientipaddr which is appearing in STREAM-FW.

Can someone please help me on the pipeline pls?

blason · March 17, 2019, 3:06pm

So, I made bit progress. I was able to route those messages containg only usernames in different stream i.e. onlyUserNames [which has srcIPaddr field as well]

Now I need to compare srcIPaddr and clientIPaddr from STREAM-DNS and found matched then insert username field in STREAM-DNS

Please advise.

Lyro · March 18, 2019, 12:54pm

then just negate the if clause (with a !) and then let the rule drop the messages

blason · March 18, 2019, 1:27pm

Hi there,

Would you please give me an example, pls?

Lyro · March 18, 2019, 2:13pm

sure thing,


when
contains(to_string($message.yourField), "condition") AND
! contains(to_string($message.yourField), "condition2")

then

do something

It´s true when the field “yourField” contains “condition” AND does not contain “condition2”. The only difference between this two is the !

blason · March 18, 2019, 5:02pm

Thats awesome!! Thanks buddy

And any clue on comparing string/IP address from two different stream and if true then extract username field and insert into one of the Stream?

blason · March 19, 2019, 4:23am

I guess slookup function will help me here I believe?

Lyro · March 19, 2019, 8:23am

If that is the case, just use the pipeline on the “all messages”-stream.

Take a look at substr() and split() together with compare. Could be helpful.
If you want to sort into a stream after a pipeline worked, just use the pipeline to set a new field (for example “toStreamX = true”) and add a new stream rule.

Good luck and let me know if you got it to work and how

system · April 2, 2019, 8:23am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need help on slookup plugin Graylog Central (peer support)	4	363	April 5, 2019
Part of stream logs to another server Graylog Central (peer support)	2	343	February 15, 2019
Extracting fields from Two different stream & Combine them Graylog Central (peer support)	5	814	March 14, 2019
I am unable to drop message, please help Graylog Central (peer support)	4	538	September 16, 2019
Questions regarding pipeline processing / change field value of message Graylog Central (peer support)	3	2976	November 27, 2017

Drop All messags except matching and help on slookup function

Related Topics