I am having some issues getting a pipeline to work properly that I have had work on other builds and I cannot figure out why or what I’m missing. The pipeline is to parse the Hex code of a failed login to the reason it fails. My lookup table is working properly and I have the pipeline tied to the stream I am trying to run this against.
Server version is 3.3.17
rule "Windows: Event 4625 Cleanup"
when
has_field("event_data_SubStatus") AND contains(to_string($message.event_id), "4625")
then
//Change Logon Code
let update_source = lookup_value("winlogon_status_lookup", $message.event_data_Status);
set_field("event_data_Status", update_source);
let update_source = lookup_value("winlogon_status_lookup", $message.event_data_SubStatus);
set_field("event_data_SubStatus", update_source);
end
Any thoughts or additional info you need to help troubleshoot? Any assistance is GREATLY appreciated.
When you say the tables are working properly, you mean you did a test lookup on the tables and received the results you wanted? Anything show up in the Graylog Server logs?
Quick thought - if Elasticsearch is storing the event_data_Status and event_data_SubStatus fields as a numeric and not Keyword, it may be rejecting the text you are trying to put in. An easy way to test that is to create new fields in your set_field() function.
let update_source = lookup_value("winlogon_status_lookup", $message.event_data_Status);
set_field("event_data_Status_txt", update_source);
let update_source = lookup_value("winlogon_status_lookup", $message.event_data_SubStatus);
set_field("event_data_SubStatus_txt", update_source);
Assuming I am guessing correctly and you wanted to look in depth into ElasticSearch, you could query the field type with something like:
Yes, I can do a test on the lookup table and it responds with what I’m expecting:
It’s almost like it’s not catching my when statement, though I don’t know why it would not be. I tried creating a new field as you suggested and that does nothing as well. this is the result I get from the Curl of event_data_Status:
Before you do the below… are you seeing any errors in your Graylog logs? The debug() messages will tell you what the values are. That might give you a window into what is going on.
Can you post the data in your table? Obfuscated if need be…
rule "Windows: Event 4625 Cleanup"
when
has_field("event_data_SubStatus") AND contains(to_string($message.event_id), "4625")
then
//Change Logon Code
// use $ tail -f /var/log/graylog-server/server.log to watch for the results of the below debug messages
debug("=======================================================================================================================");
debug(concat("*_*_*_*-Before-$message.event_data_Status: ", to_string($message.event_data_Status)));
let update_source = lookup_value("winlogon_status_lookup", $message.event_data_Status);
set_field("event_data_Status", update_source);
debug(concat("*_*_*_*resulting table: [update_source]: ", to_string(update_source)));
debug(concat("*_*_*_* -AFTER- $message.event_data_Status: ", to_string($message.event_data_Status)));
debug("=======================================================================================================================");
debug(concat("*_*_*_*-Before-$message.event_data_SubStatus: ", to_string($message.event_data_SubStatus)));
let update_source = lookup_value("winlogon_status_lookup", $message.event_data_SubStatus);
set_field("event_data_SubStatus", update_source);
debug(concat("*_*_*_*resulting table: [update_source]: ", to_string(update_source)));
debug(concat("*_*_*_* -AFTER- $message.event_data_SubStatus: ", to_string($message.event_data_SubStatus)));
debug("=======================================================================================================================");
end
