Help with pipeline rule for packetbeats dns

Hi, Im running Graylog 3.2.4 Enterprise

I have been following the below graylog guide for packetbeats dns capture, I have the messages comming in to graylog ok, but when I went to add the pipe line rule it thows a couple of errors, It throws an error by has and name) and also let fix = regex when is says (Invalid expression) I would be greatfull if someone could assit.

############################################

The rule in the post is as below …

############################################

rule “rewrite raw packetbeat DNS logs”

when

has
name);

remove
ip);
remove
set field("dst addr", $message.packetbeat ip);
remove
field(“packetbeat_ip”);
set field("dns flags authoritative", to bool($message.packetbeat dns flags authoritative));
remove
field(“packetbeat dns flags_authoritative”);
set field("dns flags recursion allowed", to bool($message.packetbeat dns flags recursion allowed));
remove
field(“packetbeat dns flags recursion allowed”);
set field("dns flags recursion desired", to bool($message.packetbeat dns flags recursion desired));
remove
field(“packetbeat dns flags recursion desired”);
set field("dns flags truncated response", to bool($message.packetbeat dns flags truncated response));
remove
field(“packetbeat dns flags truncated response”);
code);
remove
class);
remove
type);
remove
code);
remove
port));
remove
set field("src port", to long($message.packetbeat client port));
remove
field(“packetbeat client port”);

// Remove fields we don’t need or want.

remove
in");
remove
authorities");
remove
count");
remove
answers");
remove
direction");
remove
responsetime");
remove
error");
remove
transport");
remove
method");
remove
resource");
remove
status");
remove
type");
remove
query");
remove
disabled");
remove
additionals");
remove_field(“facility”);

// Remove trailing . if there is one
let fix = regex("(.+?).?$", to
question));
set
string($message.dns_question)));

end

############################################

Errors shown in the pictures

Many thanks

Any thoughts on this guys ?

I have had a go at this, but this complexity level of rule really not my forte,

Does this look right to fix the top error ? it seems to make graylog happier but I done know if it will break the rule functionality …

Also any thoughts on what is wrong with the regex as I’m not seeing it ?

Many thanks

You have read very old article, which uses old syntax and has truncated some chars for pipeline rule, so it’s not complete. You need to use new syntax for pipeline rules, check docs:
http://docs.graylog.org/en/3.2/pages/pipelines/rules.html

In your case, change to something like:

rule "rewrite raw packetbeat DNS logs"
when
    has_field("name")
then
    remove_field("ip");
    set_field("dst addr", $message.packetbeat_ip);
    remove_field("packetbeat_ip");
    set_field("dns_flags_authoritative", to_bool($message.packetbeat_dns_flags_authoritative));

end

Check docs for functions:
http://docs.graylog.org/en/3.2/pages/pipelines/functions.html#remove-field
http://docs.graylog.org/en/3.2/pages/pipelines/functions.html#set-field
http://docs.graylog.org/en/3.2/pages/pipelines/functions.html#to-bool

Thank you for your help :slight_smile:

I did read the pipeline document but did not notice the new syntax

didnt see the other docs so will read them … thank you

I will go thought and rewrite the format, do you think that will be the same issue with the regex ?

I will only guess because it’s truncated, but correct syntax could be:

// Remove trailing . if there is one
let fix = regex("(.+?).?$", to_string($message.dns_question));
set_field(“dns_question”, fix[“0”]);

So purpose of sniipet is to remove trailing dot at the end of string in dns_question field. Change field name if you need to.

Thank you very much for your time and help, I will give it a try and let you know if that was correct.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.