I just deployed Graylog Open (latest available version) on Ubuntu 22.04.05.
Firewall logs are sent to Graylog (Default stream) and Graylog can start managing logs using extracors.
Graylog shows correctly all the expected fields (the most important ones are “Src” and “Dst” for source and destination IPs).
Now, I would like to add an additional information to available fields: the Reverse DNS value related to the existing IP address. So, I created Lookup table and the needed pipeline.
But it seems that the pipeline works before the extractor, so it is not able to identify the field Src and Dst.
I’m still a newbie, could you please help me to have an additional field with reverse DNS value?
What is your current processing order (Under System/configuration)?
The best route forward here would be to carry out all parsing of the messages within a pipeline. Replicate what you have currently in the extractor as a rule and have that run a stage before the lookup within a pipeline.
Thank you, Wine_Merchant.
I did what you suggested (I noticed that “Illuminate Processor” is not present).
I tested my setup but it seems not working as expected. “Dst_hostname” and “Src_hostname” fields are not created.
#
Processor
Status
1
AWS Instance Name Lookup
active
2
GeoIP Resolver
active
3
Message Filter Chain
active
4
Stream Rule Processor
active
5
Pipeline Processor
active
Do you have other things to check? Or logs?
Thanks again for your patience.
