Pipeline Rule for Changing Type Based on Port Number

Hi, so I have a regex extractor that populates a field called “packet_destination_port” based on the message, this works correctly.

I then want to have a pipeline rule that changes the “type” field to “failed_remote_session” if the destination port is 22, 80, 443, 3389 (in this example just port 22 for simplicity).

rule
    "Type = failed_remote_session"
when
    has_field("packet_destination_port") && to_long($message.packet_destination_port) == 22
then
    set_field("type", "failed_remote_session");
end

However, when I simulate processing a message with the field packet_destination_port:22, it does not satisfy the rule requirements.

I think this is because the packet_destination_port is extracted as an object and it’s failing to convert the object to a long (number). I have tried adding a numeric converter to the extractor, I have tried using to_string and == “22” instead of long. I have tried creating a rule that stores the packet_destination_port field as a variable and re-sets the field as a long. No success.

Does anyone have any suggestions of how to get round this? Am I doing something wrong?

Hey, Linden,

Thanks for asking in the community. What follows are guesses based on what you’ve posted. We have a lot of experienced practitioners in the community who also may want to post to help you out.

Is it possible that the data type of the “packet_destination_port” field is being extracted as an object, rather than a numeric value (string vs numeric)?

One thought is to use a pipeline processor to convert the “packet_destination_port” field from an object to a numeric value (e.g. long or int) before the pipeline rule is applied.

Or maybe use the to_string() function to convert the object to string, and then using == “22” instead of to_long().

You can try to check the data type of the field using type_of() function and take appropriate action accordingly.

Last, I’m thinking that maybe that there is an issue with the extractor configuration or the way the message is sent to Graylog.Double-checking these elements to ensure that the “packet_destination_port” field is being extracted correctly.

I hope this helps.

1 Like

Hey @Linedo
Perhaps something like this

rule "failed_remote_session"
when
    has_field("packet_destination_port") AND contains(to_string($message.packet_destination_port), "22")
then
    set_field("failed_remote_session","batman");
end

Hi @gsmith and @dscyber, thankyou very much for your resonses!

Turns out I was just being stupid, I thought I had added a numeric converter to the extractor but I didn’t click “Add” before updating and closing the extractor. Now it is not extracting as an object type it can be converted into a string/long data type.

This might also be a dumb question, but does anyone know the reason objects cannot be converted into other data types?

1 Like

Hey

In Java, every variable has a data type and stores a value of that type. Data types, or types for short, are divided into two categories: primitive and non-primitive. There are eight primitive types in Java: byte, short, int, long, float, double, boolean and char. These built-in types describe variables that store single values of a predefined format and size. Is this what your referring to?

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.