Hey All,
I am trying to use the example pipeline rule from the blogpost at Tapping Wires for Lean Security
This rule has a handful of errors on Graylog3 - starting from the “has” and the regex line at the bottom.
Any idea how I can update this for graylog3? Thanks.
rule "rewrite raw packetbeat DNS logs"
when
has
name);
remove
ip);
remove
set *field("dst* addr", $message.packetbeat <em>ip);</em>
remove
field("packetbeat_ip");
set *field("dns* flags *authoritative", to* bool($message.packetbeat *dns* flags <em>authoritative));</em>
remove
field("packetbeat *dns* flags_authoritative");
set *field("dns* flags *recursion* allowed", to *bool($message.packetbeat* dns *flags* recursion <em>allowed));</em>
remove
field("packetbeat *dns* flags *recursion* allowed");
set *field("dns* flags *recursion* desired", to *bool($message.packetbeat* dns *flags* recursion <em>desired));</em>
remove
field("packetbeat *dns* flags *recursion* desired");
set *field("dns* flags *truncated* response", to *bool($message.packetbeat* dns *flags* truncated <em>response));</em>
remove
field("packetbeat *dns* flags *truncated* response");
code);
remove
class);
remove
type);
remove
code);
remove
port));
remove
set *field("src* port", to *long($message.packetbeat* client <em>port));</em>
remove
field("packetbeat *client* port");
// Remove fields we don't need or want.
remove
in");
remove
authorities");
remove
count");
remove
answers");
remove
direction");
remove
responsetime");
remove
error");
remove
transport");
remove
method");
remove
resource");
remove
status");
remove
type");
remove
query");
remove
disabled");
remove
additionals");
remove_field("facility");
// Remove trailing . if there is one
let fix = regex("(.+?)\.?$", to
question));
set
string($message.dns_question)));
end