Hi @all,
Im currently having problems to get an “is_ip(value)” function to work.
We receive syslog and once in a while the sender includes it’s IP rather than the hostname in the message. If this is the case I need to do a reverse lookup and replace the IP with the fqdn I get.
I have set up a test using a pipeline rule taht checks for a syslog message and tries to determine if the source was an ip rather than a hostname.
I have: graylog 4.2.6 running on CentOS7
The test rule:
rule "test"
when
has_field("facility") AND
to_string($message.facility) == "syslogd" AND
has_field("source") AND
is_ip($message.source)
then
...do the needful
end
The rule renders syntactically correct but somehow is_ip won’t determine the IP. I have played with the agument type ( to_string()) but the only way I get is_ip to match is when I convert $message.source to an IP object which is obviously not the way to go.
What am I missing? Help greatly appreciated.
mk