Problems with greynoise pipeline

Templates and Rules Exchange Pipeline Rules
1

Hey everyone,

I’ve been trying to put to work a pipeline that integrates my fortigate logs (that come to graylog via syslog) with Greynoise, but unfortunetly it’s not working. It does not make any enrichment to my data.

So the following image shows the rule that I am using.

Greynoise_rule
Greynoise_rule420×564 14.8 KB

The lookup table is working properly, as i can do lookup tests and it works.

The logs that I am trying to enrich have the dstip field like we can see in the following image:

Log_IP

With all this configured, this is the pipeline config:

Pipeline
Pipeline1887×542 28.3 KB

As we can see the logs are not being enrich, because the rule is not matching any logs. Is there anything that I’m missing in here?

Thank you in advance for any help you can provide!

2

You can successfully manually lookup that IP value in your lookup table?

3

So I figured it out, the order of the Message Processors was not correct I had the pipeline way up in the order and now it is like this:

|1|AWS Instance Name Lookup
|2|Message Filter Chain
|3|Stream Rule Processor
|4|Pipeline Processor
|5|GeoIP Resolver

1 Like