Im currently having problems to get an “is_ip(value)” function to work.
We receive syslog and once in a while the sender includes it’s IP rather than the hostname in the message. If this is the case I need to do a reverse lookup and replace the IP with the fqdn I get.
I have set up a test using a pipeline rule taht checks for a syslog message and tries to determine if the source was an ip rather than a hostname.
I have: graylog 4.2.6 running on CentOS7
The test rule:
rule "test" when has_field("facility") AND to_string($message.facility) == "syslogd" AND has_field("source") AND is_ip($message.source) then ...do the needful end
The rule renders syntactically correct but somehow is_ip won’t determine the IP. I have played with the agument type ( to_string()) but the only way I get is_ip to match is when I convert $message.source to an IP object which is obviously not the way to go.
What am I missing? Help greatly appreciated.