Noob ISO Pipeline Help

Hello all, I have been working with Graylog for about a month now so please bear with me if I end up using incorrect terminology. And thank you in advance for any help you can provide.

I have created a lookup table that converts hexadecimal error codes of a failed Windows NTLM Authentication attempt to a text description of that code. I have these logs flowing in and have created a lookup table to map the hex codes to the description I would like to see in the logs. When I test the data adapter it works as I would expect it to.

I believe I need to create a pipeline for this conversion to show in my log stream for Windows Security Event Logs. My basic logic is as follows, and I have attached a screenshot of an example message.

IF event_id: 4776 AND keywords:[“Audit Failure”]
THEN convert event_data_Status and the substatus Error Code: of message.

I want all of my other messages to also continue going to the stream. Could I please get some advice/examples on how to make this happen? Please let me know if there’s any additional info you need.

Here is a stab at the pipeline rule you can set up.

   rule "Win-Failure-4776-06a"
        to_string($message.event_id)    == "4776"             &&
        contains(to_string($message.keywords),"Audit Failure")
        let err_code_lu     = lookup_value("HexErrTable",to_string($message.event_data_Status), 0);
        set_field("error_code", to_string(err_code_lu) );
        // in my opinion it is preferable to simply have a new field that contains your error code
        // overwriting the original event_data_Status could cause future issues
        //...but if you wanted overwrite:

        replace(to_string($message.message),to_string($message.event_data_Status), to_string(err_code_lu) );
        //now that you changed this one in the message, you can obliterate the original value with your lookup value.
        set_field("event_data_Status", to_string(err_code_lu));


Thank you, I’ll give that a try. If I want to add to instead of replace, what would that line look like?

Assuming you mean add the translation to the original message next to the hex code?

let err_trans = concat(to_string($message.event_data_Status), " - translated: ");
let err_trans = concat(to_string(err_trans), to_string(err_code_lu));

replace(to_string($message.message),to_string($message.event_data_Status), to_string(err_trans) );

I actually mean create a new field in the message with the translated text.

Also, what does the 0 at the end of this line do? Check if it exists?

let err_code_lu     = lookup_value("HexErrTable",to_string($message.event_data_Status), 0);

I had that in the original - this sets the new field “error_code” to be the results of the lookup.

When you are writing the rules in the pipeline, the is a search on the right that gives you the basics of all the functions - for more detail you can look at the documentation online…


in this case the online is less descriptive .

So you could change from 0 to something like “Not found in table!”

Thank you so much, I appreciate you taking the time to help.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.