Extracting fields from Two different stream & Combine them

Hello ,

I have a scenario where I need to know from with public IP user is connected and public IP is coming from one firewall source (firewall Stream) and another from VPN source (VPN Stream). Below is log sample from both the sources :

  1. Stream Firewall
    [121121.2313131] IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=5.5.5.5 DST=2.2.2.2 LEN=12 TOS=0x PREC=00 TTL=00 ID=000 PROTO= SPT=2001 DPT=0001 LEN=00

  2. Stream VPN
    vpn[60215]: 2.2.2.2:2001 [Tom.Cruise] Peer Connection Initiated with [AF_INET]2.2.2.2:2001

In both the event destination and source port is common.

I need to have single message with contain Source IP (5.5.5.5 ) and Username (Tom.Cruise) . How can I achieve such scenario ?

I implemented couple of pipeline rules but they extracting only for single stream of event but not new messages.

Guys require your support or approach for solving sch use case.

Thanks ,

Hi Rais,

Graylog can’t actually do this on it’s own - it can’t correlate 2 events together if they happened in different log entries.

you might use the slookup plugin to lookup the username (when both entries have something they share).

That would allow you to add to one or the other additional information from another stream - or you create a new message with the processing pipeline.

I will give a try but if possible can you help me with syntax of using slookup

I think slookup is not supported in Graylog 3.0 .

I have downloaded latest version of slookup and place it into plugin folder but it didnt show up in pipeline rule.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.