Is there a RBL-like input plugin?


(Jason Haar) #1

Hi there

We run a fairly thorough internal asset management system and for performance and versatility reasons publish it via DNS TXT records - an idea ‘stolen’ from RBL. ie do a TXT lookup on ip.add.ress.assets.mgt returns a string containing hostname, then do a TXT record lookup on hostname.assets.mgt returns string containing OS, owner, hardware, etc

I have a nice pygelf-based script that we use to push data into graylog, and via this ‘RBL interface’ are able to associate intranet client hostnames, OS and users with intranet IP addresses. Really happy with that - works well

But this doesn’t help us for the syslog data, nor other GELF inputs that don’t come in via the pygelf script. So basically I want to move that functionality from the client to the server - ie have a ‘graylog-plugin-assets’ plugin for graylog server

The existing graylog-plugin-dnsresolver plugin is in the right ballpark - but I know ZERO java and cannot even figure out how to do a DNS call to pull back a TXT record (in java) - let along how to then extract strings and add new GELF fields with those values.

So I was wondering if there are some simple example plugins that someone like myself with nothing more than some scripting abilities could turn into this vision of loveliness I seek?

Thanks for any suggestions

Jason


#2

Hey Jason,

I would recommend following the graylog plugin docs. They are a bit out of date. The scripts to bootstrap a plugin are deprecated and new updates for graylog 2.0 have not been added. I would also recommend taking a look at any of the plugins that exist in the graylog project such as the graylog-plugin-map-widget. This helped me to get a good start on the plugin that I am writing.

Here are some notes I took after reading through the graylog plugin documentation and getting a basic plugin framework running and compiled in graylog.

At the very minimum you need to implement two interfaces:

org.graylog2.plugin.Plugin - which is the entry to your plugin code
org.graylog2.plugin.PluginMetaData - which describes your plugin

Create src/main/resources folder (services)

mkdir META-INF/services
cd META-INF/services
vim org.graylog2.plugin.Plugin

Inside the Plugin file place

org.graylog.plugins.#NAME_OF_PLUGIN

This is how graylog finds the plugin to load

In addition to the service, Graylog needs an additional resource file called graylog-plugin.properties in a special location. Inside the /src/main/resources folder create

Mkdir org.graylog.plugins.graylog-plugin-#NAME_OF_PLUGIN

Inside the folder place graylog-plugin.properties file
You can find the information that needs ut be in this file from a existing plugin project on github

create a pom.xml, webpack.config.js, package.json, and build.config.js

You can get these from a existing plugin project on github and modify them to fit your project