Issue with gl2_remote_ip


(Luca Profico) #1

Hello,

I am trying to overwrite the “source” field with gl2_remote_ip but it seems this var is empty, or non-existent.

The rule I am using is:

rule "Set Source IP"
when has_field("message") 
then 
set_field("source_ip", to_string($message.gl2_remote_ip));
set_field("test", "yes");
end

The “test” field I am using as a check gets properly set but source_ip does not.
If I try to set the field “source_ip” with a fixed string, it is ok, it seems that $message.gl2_remote_ip cannot be used in this context.

Running Graylog 2.4.3, installed the OVA VM.

Any hint?

Thanks


(Jochen) #2

The gl2_remote_ip is being set only if the raw message (received by the network transport) does contain information about the remote address:

Some inputs don’t set this remote address information, so you might be out of luck.

You could also use the debug() function to check the actual contents of the messages for which the rule is being executed.


(Luca Profico) #4

On the “search” page if I look at the messages and enable the gl2_remote_ip field visibility, it is there and with the right value. I guess that means the input is ok.


(Luca Profico) #5

So, on the search page I can see the message and the value gl2_remote_ip actually contains the message sender ip address. But in a rule the information is unavailable.

Debugged as follows:

rule "Set Source IP"
when has_field("message") then 
set_field("source_ip", $message.gl2_remote_port);
set_field("test", "yes");

let debug_message = concat("message.full : ", to_string($message.full));
debug(debug_message);

let debug_message = concat("message.gl2_remote_ip : ", to_string($message.gl2_remote_ip));
debug(debug_message);

end

got this in the logs:

2018-02-13_10:22:08.80797 INFO  [Function] PIPELINE DEBUG: message.full :
2018-02-13_10:22:08.81366 INFO  [Function] PIPELINE DEBUG: message.gl2_remote_ip :

Thanks


(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.