Exempting certain I.P Addresses Using Pipelines

Graylog Central (peer support)
1

Hi guys, please what’s the exact syntax if i want to remove a certain i.p address using pipelines.

e.g

when
src_ip != 10.10.10.255
then
set_field ();
end

2

You can access message fields (e. g. “src_ip”) with $message.src_ip and drop messages with drop_message().

3

Can u help combine both $message.src_ip and drop_message() under a “when” condition?

Thanks

4

You can find some examples at http://docs.graylog.org/en/2.3/pages/pipelines/rules.html#rule-structure

Do you have a specific problem with creating the rule?

5

i have used the $message.src_ip in many pipeline rules and it worked fine…just need the syntax for combining both $message.src_ip and drop_message() to exclude a particular source i.p address.

6

You would check the “src_ip” field in the when block and drop the message in the then block.

7

Okay Okay, something like this:

rule "use"
when
has_field(“src_ip”)

then
drop_message(“10.10.10.255”)
setfield()
end

8

more like

rule "use"
when
  has_field("src_ip") AND $message.src_ip == "10.10.10.255"
then
  drop_message()
end
9

Thanks J, It worked. I appreciate

1 Like
10 
rule "Proxy Top Users and Category"
when
is_not_null("EMAILLOCALPART") && has_field("Proxy_Category")

then
let Name_join = concat(to_string($message.EMAILLOCALPART), "  ------>  ");
let Name_ID = concat(Name_join,to_string($message.Proxy_Category));

set_field(field:"Proxy_Names", value: Name_ID);
end

I still get empty fields appear as some of my email_users even though i used the “is_not_null”. What am I getting wrong please.

Thanks

11

Please consider subscribing to professional support if you require individual and detailed help in your setup.

12

Thanks…i have fixed it already using the rule below:

rule "Proxy Top Users and Category"
when
is_not_null(message.EMAILLOCALPART) && has_field("Proxy_Category")

then
let Name_join = concat(to_string($message.EMAILLOCALPART), " ------> ");
let Name_ID = concat(Name_join,to_string($message.Proxy_Category)); set_field(field:"Proxy_Names", value: Name_ID);
end
13

Good day, pls i need a quick fix on this because it isnt fetching nothing.

rule "FW_Outbound2"

when
   ( $message.IP == "10.*" OR $message.IP == "172.16.*" OR $message.IP == "172.17.*" OR $message.IP == "172.18.*" OR $message.IP == "172.19.*" OR $message.IP == "172.2O.*" OR $message.IP == "172.21.*"
	OR $message.IP == "172.22.*" OR $message.IP == "172.23.*" OR $message.IP == "172.24.*" OR $message.IP == "172.25.*" OR $message.IP == "172.26.*" OR $message.IP == "172.27.*"
	OR $message.IP == "172.28.*" OR $message.IP == "172.29.*" OR $message.IP == "172.30.*" OR $message.IP == "172.31.*" 
	OR $message.IP == "192.168.*") AND $message.Firewall_DestinationIP != "4.2.2.2" AND $message.Firewall_DestinationIP != "8.8.8.8" AND $message.Firewall_DestinationIP != "255.255.255.255"
	AND $message.Firewall_DestinationIP != "10.10.2.255" 
    
then
    let Name_join = concat(to_string($message.timestamp), "  ------>  ");
    let Name_ID = concat(Name_join,to_string($message.IP));
    let Name_ID2 = concat(Name_ID, ("---------->"));
    let Name_ID3 = concat(Name_ID2,to_string($message.Firewall_DestinationIP));
    let Name_ID4 = concat(Name_ID3, ("---------->"));
    let Name_ID5 = concat(Name_ID4,to_string($message.dst_port));
    let Name_ID6 = concat(Name_ID5, ("---------->"));
    let Name_ID7 = concat(Name_ID6,to_string($message.categoryOutcome));

set_field(field:"FW_OutboundS", value: Name_ID7);

end

Thanks.

1 Like
14

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.