I’m working on a pipeline rule on a Graylog 4 box that uses a lookup table to essentially convert an IP address to a fully-qualified hostname (FQDN). The actual lookup works perfectly but the result has a dot on the end. While this may be technically accurate from a DNS perspective, it’s not what I want. How do I remove the trailing dot so that “somehost.example.com.” to just “somehost.example.com”? I tried using regex and I couldn’t get it working.
correct me if im wrong, you configured a pipeline rule to use a lookup table and there is a dot at the end of FQDN?
Does you pipeline look something similar to this?
rule " lookup: src_ip"
when
has_field("src_ip")
then
let fqdn_source = lookup("fqdn", to_string($message.src_ip));
set_field("src_name",fqdn_source);
end
If so, double check you lookup table config & csv file if your using that.
rule "Security > TACACS Client"
when
has_field("tacacs_client")
then
let hostname = lookup_value("dns-lookup", to_string($message.tacacs_client));
set_field("tacacs_client_hostname", hostname);
end
I extract the IP from a log in an earlier processing stage. The lookup table does a reverse DNS lookup on the IP and grabs the FQDN, but adds a dot.
If you only want to remove the last letter of whatever string I can recommend the substring()-function
substring(value: string, start: long, [end: long])
Returns a substring of value starting at the start offset (zero-based indices), optionally ending at the end offset. Both offsets can be negative, indicating positions relative to the end of value.
Your rule could look like this:
rule "Security > TACACS Client"
when
has_field("tacacs_client")
then
let hostname = lookup_value("dns-lookup", to_string($message.tacacs_client));
hostname = substring(value:hostname, start:0, end:-1)
set_field("tacacs_client_hostname", hostname);
end
This is a great approach but the line as you had it threw errors in the rule editor.
This is what I have now – no errors, but its not setting the field either:
rule "Security > TACACS Client"
when
has_field("tacacs_client")
then
let hostname = lookup_value("dns-lookup", to_string($message.tacacs_client));
let hostname = substring(to_string(hostname), 0, -1);
set_field("tacacs_client_hostname", hostname);
end
your field tacacs_client is set properly, but the field tacacs_client_hostname is missing? Did you try to manualy test your value from tacacs_client in the lookuptable?
It’s working correctly now. My lookup table had been renamed and that naturally broke things. Now that I corrected that, the rule (with your suggested fix) is working as expected.