Graylog Advance Rules and Dynamic Lookup

(Rais Shaikh) #1

Hello Team ,

I am using graylog for last couple of months and feel like graylog is lacking on following points :

  1. Can it possible to have dynamic lookup table instead of static lookup , so that field can be added into lookup on the fly.

  2. Multi-correlation for heterogeneous devices based n srcip or usernames like commercial SIEM have nowadays ?

  3. Can you used lookup table in the rules?

I am facing challengers in creating some advance rules because of above point. Let me know if its possible to such flexibility in graylog.



(Ben van Staveren) #2

#1 I’m not entirely sure what you mean by “field can be added into lookup on the fly” - if you mean you want to populate a lookup table using data from Graylog, then that isn’t possible.

#2 Also not sure - got an example?

#3 Yes, you can use a lookup table in pipeline rules (via the lookup function)

1 Like

(Rais Shaikh) #3


For point #1 and #2 , is there any roadmap for such features ?

For point #3 , I mean can we used lookup table in Alert condition ?


(Konrad Merz) #4

#1 there is no such plan to do so in the future. But feel free to open a feature request at github with example usage.

#2 I also would need an example to understand what you want to achieve.

#3 The lookup table is used to enrich your data. For example, you can tell via Tor lookup table, that a source IP is from a TOR exit node and you can mark that in your pipeline rule. And than you can decide in a alert condition if you want to act upon this marking. What do you need look up tables in alert conditions for?


(system) closed #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.