Pipeline Rule + Regex

Hi there,

Trying to write a rule that looks for Windows/Directory Services event ID 2889 and re-writes one of the fields. The field contains an IP and a port (example: 172.189.20.201:59559) and I want just the IP (example: 172.189.20.201) The field is “winlogbeat_winlog_event_data_param1”.

Here is my rule:

rule "unsigned ldap IP parser"
when
	contains(to_string($message.winlogbeat_event_code),"2889")
then
    let temp = regex("^[^:]*",to_string($message.winlogbeat_winlog_event_data_param1));
    set_field ("winlogbeat_client_ip",temp["0"]);
end

Here is an exampe log:

beats_type
winlogbeat
message
The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection. 
 
Client IP address:
192.168.2.3:51193 
Identity the client attempted to authenticate as:
win.local/berp 
Binding Type:
0
source
dc4
timestamp
2022-04-29 16:13:39.243 -07:00
winlogbeat_@metadata_beat
winlogbeat
winlogbeat_@metadata_type
_doc
winlogbeat_@metadata_version
7.11.1
winlogbeat_@timestamp
2022-04-29 16:13:39.243 -07:00
winlogbeat_agent_ephemeral_id
6d35cc06-cc43-42b6-b171-e8c973edeeca
winlogbeat_agent_hostname
dc4
winlogbeat_agent_id
f4326cde-ab08-434c-bccb-15bde0aecae0
winlogbeat_agent_name
dc4
winlogbeat_agent_type
winlogbeat
winlogbeat_agent_version
7.11.1
winlogbeat_collector_node_id
dc4
winlogbeat_ecs_version
1.7.0
winlogbeat_event_action
LDAP Interface
winlogbeat_event_code
2889
winlogbeat_event_created
2022-04-29 16:13:40.675 -07:00
winlogbeat_event_kind
event
winlogbeat_event_provider
Microsoft-Windows-ActiveDirectory_DomainService
winlogbeat_host_name
dc4.win.local
winlogbeat_log_level
information
winlogbeat_tags
["windows"]
winlogbeat_winlog_api
wineventlog
winlogbeat_winlog_channel
Directory Service
winlogbeat_winlog_computer_name
dc4.win.local
winlogbeat_winlog_event_data_param1
192.168.2.3:51193 
winlogbeat_winlog_event_data_param2
win.local/berp
winlogbeat_winlog_event_data_param3
0
winlogbeat_winlog_event_id
2889
winlogbeat_winlog_keywords
["Classic"]
winlogbeat_winlog_process_pid
688
winlogbeat_winlog_process_thread_id
2692
winlogbeat_winlog_provider_guid
{0e8478c5-3605-4e8c-8497-1e730c959516}
winlogbeat_winlog_provider_name
Microsoft-Windows-ActiveDirectory_DomainService
winlogbeat_winlog_record_id
5374839
winlogbeat_winlog_task
LDAP Interface
winlogbeat_winlog_user_domain
NT AUTHORITY
winlogbeat_winlog_user_identifier
S-1-5-7
winlogbeat_winlog_user_name
ANONYMOUS LOGON
winlogbeat_winlog_user_type
Well Known Group

Using Graylog version 4.2.7. Thanks!

-Blue

What are you having problems with? Rule not firing? Regex not returning expected result?

Hi Patrickmann,

I am not sure which part is failing. I definitely don’t see a new field being added to messages coming in with the event ID 2889. At this point I am going to say maybe the rule just isn’t firing at all.

You were just missing parentheses around the regex to denote the capture group.
This should work:
let temp = regex("(^[^:]*)",to_string($message.winlogbeat_winlog_event_data_param1));

When debugging regex it really helps to break things down into smaller pieces and validate as you go, using e.g. debug().

Hi Patrickmann,

This did the trick! Thank you for your assistance.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.