Hi All,
I am sending syslog data from some networking devices ( Netgear switches, Siemens switches etc) to our Graylog instance. What’s happening is that the syslog msgs show “source” field as the ip-address of the device instead of the hostname. I understand that this is parsing issue and we need custom extractors to parse the data correctly . My question is regarding creating pipeline rules to resolve this.
I have created a stream-rule called “Siemens i800” as shown below that matches the field source with it’s corresponding device ip-address. Next i then created a pipleline called i800 which is connected to this steam. What’s next ? What more needs to be done to make this pipeline run and show the source name correctly in web UI ?
It still did not change the source field to show hostname in the web UI . Thats why i am wondering there is some more config to overwrite the source needed after creating the pipeline. Any words of wisdom ?
when you send in syslog data and source is shown as IP - then the device is sending the IP as source in the syslog message.
To map this IP to a hostname you would use the Lookup Tables ( http://docs.graylog.org/en/2.4/pages/lookuptables.html ) to map this IP to a hostname. For that you need to create a CSV File (or DSV) that contains the mapping from IP to hostname. Then you can use one extractor or the processing pipelines to make the lookup and replacemend.
Upcoming versions of Graylog will also have a DNS Lookup Table that enables you to just query DNS for that data.
Thanks Jan. In the meantime, do you think the below pipeline rule makes sense ?
Basically what i doing below is look for the source field and if the source ip of remote device is 192.168.1.10 then replace/overwrite that field with the host name “Cisco-ASA”.
rule "Correct CiscoASA hostname"
when
has_field("source") AND contains(to_string($message.gl2_remote_ip), "192.168.1.10")
then
set_field("source", "Cisco-ASA");
end
the field gl2_remote_ip always contains the IP of the host that had handover the message to Graylog. If you have a system with a proxy - this will be the proxy. The rule would make more sense in the following way:
rule "Correct CiscoASA hostname"
when
has_field("source") AND contains(to_string($message.source), "192.168.1.10")
then
set_field("source", "Cisco-ASA");
end
or
rule "Correct CiscoASA hostname"
when
contains(to_string($message.gl2_remote_ip), "192.168.1.10")
then
set_field("source", "Cisco-ASA");
end