Pipeline Rules Works if Connection Stream is set to “All Messages” but not when a specific Stream is selected.
I have searched the boards, google, youtube… I think I am doing it right… maybe?!
Using Graylog OVA 4.0.7+c3e766c
Any guidance is appreciated.
Thanks
Arn
Please send more informations, your graylog version, your stream configuration, your pipeline rule, your processing order and so on. Otherwhise it’s not possible to help you.
Using Graylog OVA 4.0.7+c3e766c
Simple rule from Graylog blog (I tihnk it was from a graylog blog)
rule “enrichment_rfc1918_dst_ip”
when
has_field(“source”)
AND
// check if rfc1918, only one of these must be true
(
cidr_match(“10.0.0.0/8”, to_ip($message.source))
OR
cidr_match(“172.16.0.0/12”, to_ip($message.source))
OR
cidr_match(“192.168.0.0/16”, to_ip($message.source))
OR
cidr_match(“127.0.0.0/8”, to_ip($message.source))
)
then
set_field(“dst_ip_is_internal”, true);
end
Simple syslog from Sonicwall
Syslog Index created
Stream is associated with the Syslog index created
When the pipeline is connected to “All Streams” it works
When the pipeline is connected to the Syslog Stream it does not work
Thank you,
Arn
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
