I’m a new French user on Graylog, and I have a question with pipeline and regex value :
1. Describe your incident:
I receive specific logs that contain a public IP address in the message. I have to create an aggregation with an extractor and a search with a regular expression to create a “top 10”. I’d like to use the map widget for see where its IP addresses are located in the world. I have read the process to use GeoIP, but I block at the final step : pipeline creation.
2. Describe your environment:
OS Information: Debian 11.0.14
Package Version: Graylog 4.2.6+0210617
Service logs, configurations, and environment variables: Syslog
3. What steps have you already taken to try and solve the problem?
I need help ^^
4. How can the community help?
How to create this pipeline with a regex search? Below is what I would like to achieve :
rule “GeoIP:zimbra_auth_failure”
when
<my regex search which extracts the IP address in the field “message”>
then
let geo = lookup(“geoip”, to_string($message.XXXXXXX));
set_field(“src_ip_geo_location”, geo[“coordinates”]);
set_field(“src_ip_geo_country”, geo[“country”].iso_code);
set_field(“src_ip_geo_city”, geo[“city”].names.en);
end
Thank’s for your reply
I’d like add geoip coordinates like this instruction :
But instead of the “src_ip” field, I’d like to “extract” a value in the “message” field.
In practice: I receive messages from my mail server, and some message warns me that an IP has tried to authenticate but did not succeed (intrusion attempt).
The form of the “message” field : warning: unknown[X.X.X.X]: SASL LOGIN authentication failed: authentication failure
My rule is :
rule "GeoIP lookup: zimbra_auth_failure"
when
regex("^warning\\:\\sunknown\\[(.+?)\\]\\:\\sSASL\\sLOGIN\\sauthentication\\sfailed\\:\\sauthentication\\sfailure$", to_string($message.message)).matches == true
then
let result = regex("^warning\\:\\sunknown\\[(.+?)\\]\\:\\sSASL\\sLOGIN\\sauthentication\\sfailed\\:\\sauthentication\\sfailure$", to_string($message.message));
let geo = lookup("geoip", result["0"]);
set_field("src_ip_geo_location", geo["coordinates"]);
set_field("src_ip_geo_country", geo["country"].iso_code);
set_field("src_ip_geo_city", geo["city"].names.en);
end
Hello,
Perhaps have the regex on INPUT and create a new field. Then run GeoIP as shown in the documentation.
You actually going beyond my limits, @tmacgbay might have a better suggestion.