Hello, Im new to Graylog and currently using the rule below to filter log to a stream of 2 devices: 101.53.0.29 and 10.12.4.80; I want to drop all msg from 10.12.4.80
rule “filter IP range 101.53.0.0/24”
when
NOT cidr_match(“101.53.0.0/24”, to_ip($message.gl2_remote_ip))
then
drop_message();
end
But it keeps comming, so what is the problem? Thanks a lot.
I wouldn’t put the “/” in the rule name … likely not the issue though - Maybe use the debug() function in an adjacent rule so you can watch the value for gl2_remote_ip.
2 Likes
Thanks for your reply. I have followed your suggestion, and the output of gl2_remote_ip is NULL. What is the problem with this field, i thought this is the built-in field of Graylog.
Were you able to solve it?
1 Like
Nothing is working. I did figure a way to take the IP of the message, by using rDNS option in INPUT then all the hostnames in source field are resolved into IP; tested with debug().
However, another problem is up, I copied one of the log into simulator to test the stream pipeline, everything worked as expected but it did not work for the real log messages in Search: It stated that this simulator message can not be used in Dashboard, Search,… but they are still there.
Hello, baoletrg
first of all check Message Processors Configuration you must something like:
|1| AWS Instance Name Lookup | disabled |
|2| GeoIP Resolver | active |
|3| Message Filter Chain | active |
|4| Pipeline Processor | active |
Try to change
NOT cidr_match(“101.53.0.0/24”, to_ip($message.gl2_remote_ip))
To
cidr_match(“10.12.4.0/24”, to_ip($message.gl2_remote_ip))
And check you ip field datatype.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.