Rais
February 27, 2019, 8:18am
1
Hello ,
I have a scenario where I need to know from with public IP user is connected and public IP is coming from one firewall source (firewall Stream) and another from VPN source (VPN Stream). Below is log sample from both the sources :
Stream Firewall[121121.2313131] IN=eth0 OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:00:00 SRC=5.5.5.5 DST=2.2.2.2 LEN=12 TOS=0x PREC=00 TTL=00 ID=000 PROTO= SPT=2001 DPT=0001 LEN=00
Stream VPN
In both the event destination and source port is common.
I need to have single message with contain Source IP (5.5.5.5 ) and Username (Tom.Cruise) . How can I achieve such scenario ?
I implemented couple of pipeline rules but they extracting only for single stream of event but not new messages.
Guys require your support or approach for solving sch use case.
Thanks ,
Rais:
I need to have single message with contain Source IP (5.5.5.5 ) and Username (Tom.Cruise) . How can I achieve such scenario ?
I implemented couple of pipeline rules but they extracting only for single stream of event but not new messages.
Guys require your support or approach for solving sch use case.
Hi Rais,
Graylog can’t actually do this on it’s own - it can’t correlate 2 events together if they happened in different log entries.
jan
February 27, 2019, 11:21am
3
you might use the slookup plugin to lookup the username (when both entries have something they share).
That would allow you to add to one or the other additional information from another stream - or you create a new message with the processing pipeline.
Rais
February 27, 2019, 2:31pm
4
I will give a try but if possible can you help me with syntax of using slookup
Rais
February 28, 2019, 11:29am
5
I think slookup is not supported in Graylog 3.0 .
I have downloaded latest version of slookup and place it into plugin folder but it didnt show up in pipeline rule.
system
March 14, 2019, 11:29am
6
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
