My Graylog version is 3.3.9+abab7dc, codename Sloth Rocket. I have two streams e.g.
dns-pktbeat and dns-queries
dns-queries contains logs from logstash-parsing while dns-pktbeat is from packetbeat
I have interesting fields from both the streams which are
in dns-pktbeat
packetbeat_client_ip
packetbeat_domain_name
And in dns-queries
domain_name
packetbeat_domain_name and domain_name contains the domain names e.g. example.com
So, I want to achieve is
If content of domain_name from dns-queries stream matches with packetbeat_domain_name from dns-pktbeat then pick up a field packetbeat_client_ip from dns-pktbeat and insert that field in dns-queries so that I can get original source_IP.
With newer versions of Graylog (and licensing) you can make correlations in alerts… which wouldn’t specifically help you… Another feature of the newer versions (if you are licensed) is you can insert data to the MongoDB that Graylog uses for further queries… which may help with what you want to do… But you would need to upgrade your Graylog instance and apply for a Free Enterprise License… to maintain Free Licensing you need to keep your ingestion below 5GB per day.
I don’t think there are any other ways to make the correlation to change you want…
