Graylog 4.0 bug with fields and aggregation

Graylog Central (peer support)
1

Hi all.
We tried to make event definition and wrote this points:

  • in Filter&Aggregation>Aggregation used 3 fields (src_address, dst_address, protocol)
  • making Fields src_address, dst_address, protocol
    and it does no alerts at all…
    when we leave only 1 field - it works
    more then 1 -no alert and no fields
    when we leave 1 field and 3 fields - we get 1 alert and 1 field in notifications
    who can help or explain how it works?
2

@aldot

Hello and Welcome

I’m not sure what version of Graylog your using, also its hard to tell what could be the problem. Could you explain what your goal is with Filter&Aggregation in greater detail? Maybe some examples of the outcome you wanted and/or messages your trying to filter out. That would be very helpfull.

Have you seen this link?

https://docs.graylog.org/en/4.0/pages/alerting/alerting-by-example.html

Hope that helps.

3

I add new custom field with name dst_address, it doesn’t work
i make a template for custom field like ${source.dst_address} and destination addresses contains in basic event, but in alert we get an empty field, how it works? why value of the field doesnt extract to alert?

4

Hello,

Have you read this?
https://docs.graylog.org/en/4.0/pages/alerting/alerting-by-example.html#alerting-by-example

This could be a combination of different things. Maybe the field does not have data in it, or how the messages are processed. Unfortunately, with the lack of information like how you created those fields its hard to say.

Showing how you did configurations would helps us to help you troubleshoot your issue.

5

Basic message from Netflow for rule contains
NetFlowV5 [10.0.2.25]:53 <> [10.0.0.241]:51410 proto:17 pkts:0 bytes:151

изображение
изображение985×314 41.6 KB

these fields work and added to notification in alerts, when i want to add protocol name or dst_port number with template ${source.nf_proto} - no info adds to alert

6

Thank you for the addintional information. I understand the issue now.
My appologies, I assumed it was from this section that you were talking about.

image
image938×639 34.9 KB

I’m not to familiar with Event fields section. I just never had to use it yet.

How ever I did find These , maybe something in there might help.

As for creating custum fields you probably can do this on the INPUT by creating a GROK or Regular expression. Then use those fields to filter out what you need. I’m sorry I cant be more help.

7

@aldot
Hello,
So I did some testing on Netflow INPUT UDP. I was using the default configuration and found a lot of fields that get generated. These also have fields for destination address (dst_address). Not sure why you would want to create another field for the same thing. Maybe try using the default fields instead to see if you get better results.
Here is the list of fileds that I have found.

Summary

message
NetFlowV9 [ip_address]:17746 <> [ip_address]:80 proto:6 pkts:5 bytes:356
nf_bytes
nf_dst
nf_dst_address
nf_dst_address_city_name
nf_dst_address_country_code
nf_dst_address_geolocation
nf_dst_port
nf_field_65
nf_field_66
nf_first_switched
nf_flow_end_reason
nf_flow_packet_id
nf_forwarding_status
nf_in_bytes
nf_in_pkts
nf_input_snmp
nf_ipv4_dst_addr
nf_ipv4_dst_addr_city_name
nf_ipv4_dst_addr_country_code
nf_ipv4_dst_addr_geolocation
nf_ipv4_src_addr
nf_l4_dst_port
nf_l4_src_port
nf_last_switched
nf_out_bytes
nf_out_pkts
nf_output_snmp
nf_pkts
nf_postipdiffservcodepoint
nf_proto
nf_proto_name
nf_protocol
nf_snmp_input
nf_snmp_output
nf_src
nf_src_address
nf_src_port
nf_start
nf_stop
nf_version
source
timestamp

Hope that helps.

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.