I have been following the below graylog guide for packetbeats dns capture, I have the messages comming in to graylog ok, but when I went to add the pipe line rule it thows a couple of errors, It throws an error by has and name) and also let fix = regex when is says (Invalid expression) I would be greatfull if someone could assit.
############################################
The rule in the post is as below …
############################################
rule “rewrite raw packetbeat DNS logs”
when
has
name);
remove
ip);
remove
set field("dst addr", $message.packetbeat ip);
remove
field(“packetbeat_ip”);
set field("dns flags authoritative", to bool($message.packetbeat dns flags authoritative));
remove
field(“packetbeat dns flags_authoritative”);
set field("dns flags recursion allowed", to bool($message.packetbeat dns flags recursion allowed));
remove
field(“packetbeat dns flags recursion allowed”);
set field("dns flags recursion desired", to bool($message.packetbeat dns flags recursion desired));
remove
field(“packetbeat dns flags recursion desired”);
set field("dns flags truncated response", to bool($message.packetbeat dns flags truncated response));
remove
field(“packetbeat dns flags truncated response”);
code);
remove
class);
remove
type);
remove
code);
remove
port));
remove
set field("src port", to long($message.packetbeat client port));
remove
field(“packetbeat client port”);
You have read very old article, which uses old syntax and has truncated some chars for pipeline rule, so it’s not complete. You need to use new syntax for pipeline rules, check docs: http://docs.graylog.org/en/3.2/pages/pipelines/rules.html
In your case, change to something like:
rule "rewrite raw packetbeat DNS logs"
when
has_field("name")
then
remove_field("ip");
set_field("dst addr", $message.packetbeat_ip);
remove_field("packetbeat_ip");
set_field("dns_flags_authoritative", to_bool($message.packetbeat_dns_flags_authoritative));
end