Graylog Advance Rules and Dynamic Lookup

Hello Team ,

I am using graylog for last couple of months and feel like graylog is lacking on following points :

  1. Can it possible to have dynamic lookup table instead of static lookup , so that field can be added into lookup on the fly.

  2. Multi-correlation for heterogeneous devices based n srcip or usernames like commercial SIEM have nowadays ?

  3. Can you used lookup table in the rules?

I am facing challengers in creating some advance rules because of above point. Let me know if its possible to such flexibility in graylog.


#1 I’m not entirely sure what you mean by “field can be added into lookup on the fly” - if you mean you want to populate a lookup table using data from Graylog, then that isn’t possible.

#2 Also not sure - got an example?

#3 Yes, you can use a lookup table in pipeline rules (via the lookup function)

1 Like


For point #1 and #2 , is there any roadmap for such features ?

For point #3 , I mean can we used lookup table in Alert condition ?

#1 there is no such plan to do so in the future. But feel free to open a feature request at github with example usage.

#2 I also would need an example to understand what you want to achieve.

#3 The lookup table is used to enrich your data. For example, you can tell via Tor lookup table, that a source IP is from a TOR exit node and you can mark that in your pipeline rule. And than you can decide in a alert condition if you want to act upon this marking. What do you need look up tables in alert conditions for?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.