Pipeline with regex value

Hello all,

I’m a new French user on Graylog, and I have a question with pipeline and regex value :

1. Describe your incident:
I receive specific logs that contain a public IP address in the message. I have to create an aggregation with an extractor and a search with a regular expression to create a “top 10”. I’d like to use the map widget for see where its IP addresses are located in the world. I have read the process to use GeoIP, but I block at the final step : pipeline creation.

2. Describe your environment:

  • OS Information: Debian 11.0.14
  • Package Version: Graylog 4.2.6+0210617
  • Service logs, configurations, and environment variables: Syslog

3. What steps have you already taken to try and solve the problem?
I need help ^^

4. How can the community help?
How to create this pipeline with a regex search? Below is what I would like to achieve :

rule “GeoIP:zimbra_auth_failure”
when
<my regex search which extracts the IP address in the field “message”>
then
let geo = lookup(“geoip”, to_string($message.XXXXXXX));
set_field(“src_ip_geo_location”, geo[“coordinates”]);
set_field(“src_ip_geo_country”, geo[“country”].iso_code);
set_field(“src_ip_geo_city”, geo[“city”].names.en);
end

Thank’s for all :slight_smile:

Hello && Welcome @FloNcy

I might be able to help

So what do you want to place here for you field or regex?

when
<my regex search which extracts the IP address in the field “message”>
then

Perhaps something like this?

hope that helps

Hello,

Thank’s for your reply :slight_smile:
I’d like add geoip coordinates like this instruction :

But instead of the “src_ip” field, I’d like to “extract” a value in the “message” field.

In practice: I receive messages from my mail server, and some message warns me that an IP has tried to authenticate but did not succeed (intrusion attempt).

The form of the “message” field :
warning: unknown[X.X.X.X]: SASL LOGIN authentication failed: authentication failure

My rule is :

rule "GeoIP lookup: zimbra_auth_failure"
when
  regex("^warning\\:\\sunknown\\[(.+?)\\]\\:\\sSASL\\sLOGIN\\sauthentication\\sfailed\\:\\sauthentication\\sfailure$", to_string($message.message)).matches == true
then
  let result = regex("^warning\\:\\sunknown\\[(.+?)\\]\\:\\sSASL\\sLOGIN\\sauthentication\\sfailed\\:\\sauthentication\\sfailure$", to_string($message.message));
  let geo = lookup("geoip", result["0"]);
  set_field("src_ip_geo_location", geo["coordinates"]);
  set_field("src_ip_geo_country", geo["country"].iso_code);
  set_field("src_ip_geo_city", geo["city"].names.en);
end

But the rule doesn’t match !

Hello,
Perhaps have the regex on INPUT and create a new field. Then run GeoIP as shown in the documentation.
You actually going beyond my limits, @tmacgbay might have a better suggestion.

Hello all,

Error on my part: the regex was bad…
Since then this rule works well.

Thank’s for your help :slight_smile:

2 Likes

Could you post the corrected rule/regex so anyone searching for Zimbra Auth finds it? :slight_smile:

Nice…

If you could show/post what was the correct regex for this that would be great, it may help others.

Hello All :slight_smile:

The correct rule/regex is the one in my post. I had pasted the corrected one but I hadn’t written it like that in my Graylog…

And @tmacgbay yes it is for Zimbra :slight_smile:

Thank’s all and have a good week-end !

2 Likes

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.