How to use gl2_remote_ip in Stream-Rule

Graylog Central (peer support)
1

Hello ladys and gentlemens,

In the stream rules of Graylog (currently I use version 2.3.2) I can’t filter the messages by “gl2_remote_ip”. But I remember that once it worked.
When I use a message to test it against the rules, Graylog no longer filters for “gl2_remote_ip” because it does not exist in the message body.
If I use the same message as above in the search and select the field “gl2_remote_ip”, the IP will be displayed.
I use extractors at the inputs.

What possibilities do I have to use the "gl2_remote_ip " in the stream rule anyway?

2

The “gl2_remote_ip” field should always exist unless you’ve removed it in a pipeline rule.

3

I don’t remove or overwrite the gl2_remote_field. It was not viewable / accessable in Graylog 2.3

But yesterday, i created a new docker-container with graylog 2.4 beta and tested it here.
The gl2_remote_ip works now…:metal:

4

Only for info:
Before GL 2.4 you can always create an extractor to copy gl2_remote_ip in other field.

{
 "extractors": [
 {
   "title": "copy_remote_ip_extractor",
   "extractor_type": "copy_input",
   "converters": [],
   "order": 0,
   "cursor_strategy": "copy",
   "source_field": "gl2_remote_ip",
   "target_field": "source_remote_ip",
   "extractor_config": {},
   "condition_type": "none",
   "condition_value": ""
 },
   ],
  "version": "2.2.0-SNAPSHOT"
}

hope helps :thinking:

1 Like
5

Thank you for the great tip. We now use the Graylog in version 2.4, but we are very satisfied with the new version despite beta status. In the version 2.4, we can use the gl2_remote_ip in the pipeline rule without a extra added extractor for this.

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.