How to add IP address to Stream using lookup table

Graylog Central (peer support)
1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

**1. Hello Everyone,

Just wanted to check how can we add assets IP (Address) to Graylog Stream?

There are basically two of of adding IP address to a Stream

1. Stream Rule Based (Stream --> Manage Rule -->Add Stream Rule (field: gl2_remote_ip (enter_IP_which_you_want_to_add_to_stream))) --> Save
2. Lookup table based -- Can anyone share what is the method of adding IP address to a Stream using lookup table.

Thanks,

Ifty.:**

2. : We have 4 GL HA, 10 ES HA, & 3 Mongo in Replica Set

  • OS Information: RHEL 7

  • Package Version: Graylog 4.0.15

  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?

4. How can the community help?

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

2

Are you looking for the DNS lookup table? More info in docs here

3

Hello @aali94

Adding on, but I’m not sure what you want to do.
Here is a example.
Adding Stream rule with IP Address.

image
image1878×471 25.5 KB

image

As for a lookup table I have used it on my Input/s. I haven’t use the DNS Lookup as @tmacgbay stated above.

Or you can use “source field” with FQDN

image
image629×512 27.9 KB

4

@tmacgbay :

I am looking to to setup DNS lookup table.

I have created the lookup table following the instructions, the link which you shared (Data Adaptor, Cache, Lookup table).

I think next step is

Cluster Global API → System/Lookup : Lookup tables → Show → GET

image
image753×551 29.1 KB

But I am not sure how this adaptor is getting mapped with Stream ID.

Thanks!

5

This method of adding IP address to Stream puts more load on the system, therefore Graylog recommends to follow Data Adaptor based addition.

6

Can you be more descriptive of what you want? How are you figuring out what IP to put into the message fields? Do you want to translate the source field to a separate source_IP field based on the DNS table?

2 Likes
7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.