Good day please, how do i query a subnet on graylog. i tried using: dst!=10.0.0.0/8 but it didnt work. please can u help me out asap. Thanks.
these fields are saved as text, so no subnet queries can be used, of course elastcsearch has ip type field enabling use of subnet querying, but this needs a custom field mapping, also I don’t know if graylog itself would allow for such query type, I used ip field internally and queried using kibana, some time ago some gralog dev told me graylog supports only text and number field types
I am familiar with both Arcsight and Kibana and have used both well. So i cant just search a subnet on Graylog and it would work.
apparently arcsight is more closely integrated (through logstash?) with elasticsearch than graylog, as i said to use cidr notation in search, given ip address has to be written as ip data type, graylog doesn’t differentiate, it’s saves data as text, numeric or date type if you tell it to do so
Okay, how do you now query a text. For example if i wanna query a block of source addresses.
with text you can use wildcards, like dst=“10.0.0.*” or similar
Okay, I would be expecting to hear from you.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.