Anyone else had issues with this? My Graylog cluster (3 nodes) is happily passing around 8k messages per second to an elastic cluster. It can double that throughput without any issues
I have three threat intelligence lookups enabled in a pipeline for my cluster. Spamhaus, and these two below. All work great. However, when I attempt to enable OTX for source IPs, it tanks my entire cluster. Messages queue up, the processing time goes through the floor (8k per second to around 1k). Anyone seen this?
rule “Threat Intelligence Lookups: dst_addr”
when
has_field(“destination_ip”) && ! in_private_net(to_string($message.“destination_ip”))
then
set_fields(threat_intel_lookup_ip(to_string($message.dst_addr), “destination_ip”));
end
*rule “Threat Intelligence Lookups: src_addr”
when
has_field(“source_ip”)
then
set_fields(threat_intel_lookup_ip(to_string($message.source_ip), “source_ip”));
end*
OTX code below
rule “Threat Intelligence OTX: source_ip”
when
has_field(“source_ip”)
then
let intel = otx_lookup_ip(to_string($message.source_ip));
// let intel = otx_lookup_domain(to_string($message.dns_question))
set_field(“threat_indicated”, intel.otx_threat_indicated);
set_field(“threat_ids”, intel.otx_threat_ids);
set_field(“threat_names”, intel.otx_threat_names);
end