Noob ISO Pipeline Help

Graylog Central (peer support)
1

Hello all, I have been working with Graylog for about a month now so please bear with me if I end up using incorrect terminology. And thank you in advance for any help you can provide.

I have created a lookup table that converts hexadecimal error codes of a failed Windows NTLM Authentication attempt to a text description of that code. I have these logs flowing in and have created a lookup table to map the hex codes to the description I would like to see in the logs. When I test the data adapter it works as I would expect it to.

I believe I need to create a pipeline for this conversion to show in my log stream for Windows Security Event Logs. My basic logic is as follows, and I have attached a screenshot of an example message.

IF event_id: 4776 AND keywords:[“Audit Failure”]
THEN convert event_data_Status and the substatus Error Code: of message.

I want all of my other messages to also continue going to the stream. Could I please get some advice/examples on how to make this happen? Please let me know if there’s any additional info you need.

2020-07-23_11-43-04
2020-07-23_11-43-04665×611 131 KB

2

Here is a stab at the pipeline rule you can set up.

   rule "Win-Failure-4776-06a"
    when
        to_string($message.event_id)    == "4776"             &&
        contains(to_string($message.keywords),"Audit Failure")
        
    then
        let err_code_lu     = lookup_value("HexErrTable",to_string($message.event_data_Status), 0);
        set_field("error_code", to_string(err_code_lu) );
        
        // in my opinion it is preferable to simply have a new field that contains your error code
        // overwriting the original event_data_Status could cause future issues
        
        //...but if you wanted overwrite:

        replace(to_string($message.message),to_string($message.event_data_Status), to_string(err_code_lu) );
        
        //now that you changed this one in the message, you can obliterate the original value with your lookup value.
        set_field("event_data_Status", to_string(err_code_lu));

    end
3

Thank you, I’ll give that a try. If I want to add to instead of replace, what would that line look like?

4

Assuming you mean add the translation to the original message next to the hex code?

let err_trans = concat(to_string($message.event_data_Status), " - translated: ");
let err_trans = concat(to_string(err_trans), to_string(err_code_lu));

replace(to_string($message.message),to_string($message.event_data_Status), to_string(err_trans) );

5

I actually mean create a new field in the message with the translated text.

Also, what does the 0 at the end of this line do? Check if it exists?

let err_code_lu     = lookup_value("HexErrTable",to_string($message.event_data_Status), 0);
6

I had that in the original - this sets the new field “error_code” to be the results of the lookup.

When you are writing the rules in the pipeline, the is a search on the right that gives you the basics of all the functions - for more detail you can look at the documentation online…

image

in this case the online is less descriptive .
https://docs.graylog.org/en/latest/pages/pipelines/functions.html#lookup-value

So you could change from 0 to something like “Not found in table!”

7

Thank you so much, I appreciate you taking the time to help.

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.