Pipeline Not Working

I am having some issues getting a pipeline to work properly that I have had work on other builds and I cannot figure out why or what I’m missing. The pipeline is to parse the Hex code of a failed login to the reason it fails. My lookup table is working properly and I have the pipeline tied to the stream I am trying to run this against.

Server version is 3.3.17

rule "Windows: Event 4625 Cleanup"

    has_field("event_data_SubStatus") AND contains(to_string($message.event_id), "4625")
//Change Logon Code
  let update_source = lookup_value("winlogon_status_lookup", $message.event_data_Status);
  set_field("event_data_Status", update_source);
  let update_source = lookup_value("winlogon_status_lookup", $message.event_data_SubStatus);
  set_field("event_data_SubStatus", update_source);



Any thoughts or additional info you need to help troubleshoot? Any assistance is GREATLY appreciated.

When you say the tables are working properly, you mean you did a test lookup on the tables and received the results you wanted? Anything show up in the Graylog Server logs?

Quick thought - if Elasticsearch is storing the event_data_Status and event_data_SubStatus fields as a numeric and not Keyword, it may be rejecting the text you are trying to put in. An easy way to test that is to create new fields in your set_field() function.

  let update_source = lookup_value("winlogon_status_lookup", $message.event_data_Status);
  set_field("event_data_Status_txt", update_source);
  let update_source = lookup_value("winlogon_status_lookup", $message.event_data_SubStatus);
  set_field("event_data_SubStatus_txt", update_source);

Assuming I am guessing correctly and you wanted to look in depth into ElasticSearch, you could query the field type with something like:

curl -XGET http://<graylog_server>:9200/<index_name>/_mapping/field/event_data_Status?pretty
curl -XGET http://<graylog_server>:9200/<index_name>/_mapping/field/event_data_SubStatus?pretty
1 Like