OH. MY. GOD! That’s amazing! Thanks! Exactly what I was looking for! Brilliant.
Coolio, but for the reference, wireshark seems to offer a syslog filter Wireshark · Display Filter Reference: Syslog message
Anyways remote IP is a thousand times better, than diving through wireshark for that
Hello,
Glad you found it your solution
The only issue with this one is that you need to add this field to all tables every time you access graylog but I lived that for years and it didn’t bother me much
Now I grew up and I am using pipeline rule to replace the source field with gl2_remote_ip field and from now on my source always shows the same value as gl2_remote_ip.
Pipeline rule is attached to every message that comes through.
rule "replace_source_with_ip"
when
has_field("message")
then
set_field("source", to_string($message.gl2_remote_ip));
end
K.
I prefer hostnames but I will probably add remote IP in a separate field so it’s saved in message. You could also make a dashboard where you display that field in the view and save it. Sadly it seems like we don’t have control over column width so the formatting has more to wish for. =/
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.