Extractor causing input to hang

Graylog Central (peer support)
1

Hello all! I’m experiencing an issue with an extractor. This extractor is for Sophos XG firewalls and is running on a TCP input coming from our RSYSLOG server. This extractor is used to pull the source IP from the message and store it in a field. When this extractor is present the graylog server starts backing up on the incoming messages and stops processing messages. As soon as I remove this particular extractor the messages begin processing normally. Looking for how to further diagnose this issue as this extractor is pretty critical to some other rules/workflow we have in place. Below is the extractor configuration.

      "title": "Sophos XG Source IP",
      "extractor_type": "regex",
      "converters": [],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "src_ip",
      "extractor_config": {
        "regex_value": "src_ip=([0-9]+(\\.[0-9]+)+)"
      },
      "condition_type": "string",
      "condition_value": "log_type=\"Firewall\""
2

Chances are that is on a runaway search… it may or may not not pick up what you want. They Graylog regex definition for an IPv4 address that is under system/Grok Patterns is as follows.

(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])

Perhaps try that in your extractor?

    "title": "Sophos XG Source IP",
      "extractor_type": "regex",
      "converters": [],
      "order": 0,
      "cursor_strategy": "copy",
      "source_field": "message",
      "target_field": "src_ip",
      "extractor_config": {
        "regex_value": "src_ip=(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])"
      },
      "condition_type": "string",
      "condition_value": "log_type=\"Firewall\""
3

So I did some more digging/testing and found it’s not actually the extractor that’s in use. What’s breaking is the pipeline rules that do a compare against OTX threat intel.

When I remove the message stream from the pipeline- everything starts working correctly. When I add the stream back to the pipeline messages stop processing correctly. It’s just odd because this has been running for weeks with no issue.

For reference here is the pipeline rule

type or paste code hererule "OTX Lookup: src_ip"

when



 has_field("sourceip")



then



     let intel = otx_lookup_ip(to_string($message.sourceip));

     set_field("threat_indicated", intel.otx_threat_indicated);

     set_field("threat_ids", intel.otx_threat_ids);

     set_field("threat_names", intel.otx_threat_names);



End
4

Hello,

Just chiming in,
What has changed in the past week/s (i.e. updates, new devices sending logs, etc…)?
Not sure but that rule post doesn’t look right.

Judging from here.

Have you tailed the Graylog files when this issue is occurring? If so what do you see.

5

I’ve recreated the pipeline and made my rules match exactly like the tutorial in the article. However, the issue still persists. When I turn the pipeline on messages start stacking up and not processing.

When I look at the server log I’m seeing some errors in regard to the OTXDataAdatper saying - “Unable to auto-detect IP address type for key”

6

Hello

From My understanding there are two API keys. One for IP and one for Domain.
Under (OTX- IP) click edit button.

image
image947×555 28.9 KB

Add you API key here

image
image997×779 43.6 KB

7

Both of these already have my API key, as they have for a while.

8

Here is a guess - make sure the IP is validated…

rule "OTX Lookup: src_ip"

when

    has_field("sourceip")  &&
    is_ip($message.sourceip)
    // to_ip() may require an ipaddress object with to_ip() but I don't think so....

then
     // watch for these debug statements in your Graylog log using 
     // $ tail -f /var/log/graylog-server/server.log
     //
     debug(concat("+++ start of lookup for sourceip: ", to_string($message.sourceip)));
     let intel = otx_lookup_ip(to_string($message.sourceip));
    
     set_field("threat_indicated", intel.otx_threat_indicated);
     set_field("threat_ids", intel.otx_threat_ids);
     set_field("threat_names", intel.otx_threat_names);
     
     debug(concat("+++ Function Complete - -Threat indication: ", to_string($message.otx_threat_indicated)));

End
1 Like
9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.