Dear Users,
I just deployed Graylog Open (latest available version) on Ubuntu 22.04.05.
Firewall logs are sent to Graylog (Default stream) and Graylog can start managing logs using extracors.
Graylog shows correctly all the expected fields (the most important ones are “Src” and “Dst” for source and destination IPs).
Now, I would like to add an additional information to available fields: the Reverse DNS value related to the existing IP address. So, I created Lookup table and the needed pipeline.
But it seems that the pipeline works before the extractor, so it is not able to identify the field Src and Dst.
I’m still a newbie, could you please help me to have an additional field with reverse DNS value?
Thank you in advance
Hey @m4v3r1ck,
What is your current processing order (Under System/configuration)?
The best route forward here would be to carry out all parsing of the messages within a pipeline. Replicate what you have currently in the extractor as a rule and have that run a stage before the lookup within a pipeline.
Hello Wine_Merchant,
thank you very much for your answer.
This is what I see in system/configuration (I hope it is the right answer to your question):
| # |
Processor |
Status |
| 1 |
AWS Instance Name Lookup |
active |
| 2 |
GeoIP Resolver |
active |
| 3 |
Pipeline Processor |
active |
| 4 |
Message Filter Chain |
active |
| 5 |
Stream Rule Processor |
active |
SO, if I’m not wrong, you suggested to move the message parsing (extractor) in a pipeline adding it before the lookup.
But, I’m still a newbie and I don’t know how to translate the extractor “rule” in a “pipeline code”. Could you please provide an example?
The extractor I created read the native message and extract 20/30 relevant fields.
Thank you
Before we get into that @m4v3r1ck, I would suggest altering the process order to that within the picture and testing your setup again.
Thank you, Wine_Merchant.
I did what you suggested (I noticed that “Illuminate Processor” is not present).
I tested my setup but it seems not working as expected. “Dst_hostname” and “Src_hostname” fields are not created.
| # |
Processor |
Status |
| 1 |
AWS Instance Name Lookup |
active |
| 2 |
GeoIP Resolver |
active |
| 3 |
Message Filter Chain |
active |
| 4 |
Stream Rule Processor |
active |
| 5 |
Pipeline Processor |
active |
Do you have other things to check? Or logs?
Thanks again for your patience.
