How do I achieve my below requirement with graylog?

blason · January 18, 2022, 5:29pm

Hi Team

My Graylog version is 3.3.9+abab7dc, codename Sloth Rocket. I have two streams e.g.
dns-pktbeat and dns-queries

dns-queries contains logs from logstash-parsing while dns-pktbeat is from packetbeat

I have interesting fields from both the streams which are
in dns-pktbeat
packetbeat_client_ip
packetbeat_domain_name

And in dns-queries
domain_name

packetbeat_domain_name and domain_name contains the domain names e.g. example.com

So, I want to achieve is
If content of domain_name from dns-queries stream matches with packetbeat_domain_name from dns-pktbeat then pick up a field packetbeat_client_ip from dns-pktbeat and insert that field in dns-queries so that I can get original source_IP.

Is this really possible?

TIA
Blason R

tmacgbay · January 18, 2022, 8:57pm

With newer versions of Graylog (and licensing) you can make correlations in alerts… which wouldn’t specifically help you… Another feature of the newer versions (if you are licensed) is you can insert data to the MongoDB that Graylog uses for further queries… which may help with what you want to do… But you would need to upgrade your Graylog instance and apply for a Free Enterprise License… to maintain Free Licensing you need to keep your ingestion below 5GB per day.

I don’t think there are any other ways to make the correlation to change you want…

Topic		Replies	Views
Corelations in Graylog Graylog Central (peer support)	4	421	July 29, 2020
Correlation logs Graylog Central (peer support)	5	1281	June 3, 2019
Alerting based on event correlation with multiple lines Graylog Central (peer support)	2	722	November 4, 2019
Still my pipeline is not working - And need help badly Graylog Central (peer support) pipeline-rules , debuggingpl	7	603	October 14, 2019
Correlating logs with Graylog 3.0 Graylog Central (peer support)	2	632	April 22, 2019

How do I achieve my below requirement with graylog?

Related topics