Pipeline rules problem

Hi @all,

Im currently having problems to get an “is_ip(value)” function to work.
We receive syslog and once in a while the sender includes it’s IP rather than the hostname in the message. If this is the case I need to do a reverse lookup and replace the IP with the fqdn I get.
I have set up a test using a pipeline rule taht checks for a syslog message and tries to determine if the source was an ip rather than a hostname.

I have: graylog 4.2.6 running on CentOS7

The test rule:

rule "test"
when
    has_field("facility") AND
    to_string($message.facility) == "syslogd" AND
    has_field("source") AND
    is_ip($message.source)
then
   ...do the needful
end

The rule renders syntactically correct but somehow is_ip won’t determine the IP. I have played with the agument type ( to_string()) but the only way I get is_ip to match is when I convert $message.source to an IP object which is obviously not the way to go. :wink:

What am I missing? Help greatly appreciated.

mk

Since to_ip() reverts to 0.0.0.0 if it is malformed, you can do it this way:

rule "test"
when
    has_field("facility")                       AND
    to_string($message.facility) == "syslogd"   AND
    has_field("source")                         AND
    to_string(to_ip($message.source)) != "0.0.0.0"
then
   let the_needful = "Do";
end

Thank you for the quick reply!

Meanwhile I had come up with a solution that involves a GROK pattern that will add a field named source_ip if source matches an IP address and two more Rules that then do the dns (reverse) lookups.

Works, but I think I’ll prefer your way. :wink:

Thanks again.
mk

2 Likes

Mark the solution for future searchers! :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.