I would like to extract the ip address from the src=x.x.x.x message field to put it in a new field to create my dashboard on this field
already is it a pipeline rule, an extrator that I need?
can someone explain the profound difference? i don’t understand
This is my rules pipeline for now… i found it on this forum but i don’t know how use it…
rule “function ExtractIPv4Pairs”
when
regex(“.^0-9a-zA-Z[^0-9a-zA-Z].^0-9a-zA-Z[^0-9a-zA-Z].“,to_string($message.message)).matches
then
let pair = regex(”.^0-9a-zA-Z[^0-9a-zA-Z].^0-9a-zA-Z[^0-9a-zA-Z].”,to_string($message.message),[“src”,“dst”]);
set_field(“IP Source”,to_ip(pair.src));
end
Then, I use the pipeline provided in the Graylog documentation on the “Source_IP” field in order to get the map working.
Maybe if you post the entire log (with the addresses anonymized) in an editable format (like using the block code here) I might be able to help you more !
Well, that’s quite easy to create the extractor. You go on the message, and on the field you wanna extract you click on the little arrow pointing down, create extractor. Then, select “Grok pattern” for the type and submit.
On the page that opens, you can write your extractor and try it against the message you’ve selected to see if it works or not !
Again, feel free to ask if you have difficulties, but again, it’lle be hard to help you without the entire message that you’re working on ^^
rule "GeoIP lookup: srcip"
when
has_field("srcip")
then
let geo = lookup("geoip", to_string($message.srcip));
set_field("src_ip_geo_location", geo["coordinates"]);
set_field("src_ip_geo_country", geo["country"].iso_code);
set_field("src_ip_geo_city", geo["city"].names.en);
end
I think that there might be a cleaner solution than just test it against a real stream, but that’s how I personnaly proceed when I write a new pipeline.
French too, the pipeline I use also have the “names.en”… I didn’t try changing it by “names.fr” because it works flawlessly for me.
I created my pipeline rule : (the name of my lookup_table is “geoip”)
//
rule "geoip"
when
has_field("IPSource")
then
let geo = lookup("geoip", to_string($message.IPSource));
set_field("ipsrc_location", geo["coordinates"]);
set_field("ipsrc_country_name", geo["country"].names.en);
end
//
The problem :
When I generate a log on my firewall, I don’t have the “ipsrc_location” and “ipsrc_country_name” fields that my pipeline should create, I have the IPSource field that appears
You can use the debug() function in your pipeline rule to see what is going on (see below for example) Also, check to see if your Message Filter Chain is set BEFORE your pipeline processor (See further below) in system/configurations…
rule "geoip"
when
has_field("IPSource")
then
// tail -f /var/log/graylog-server/server.log to see results of debug message
debug(concat("=========== IPSource is: ", to_string($message.IPSource)));
let geo = lookup("geoip", to_string($message.IPSource));
set_field("ipsrc_location", geo["coordinates"]);
set_field("ipsrc_country_name", geo["country"].names.en);
end
THANK YOU IT WORKS!
I understand the pipeline system better now… thanks a lot
Last thing, I would like to make a data table with the identification information
I would have to create a “user” extraction and put it in a new field
I understand the principle of extractor now but I don’t understand JSON languages, regex, etc…
Is there an easier way to extract the user field into a new field?
