Goal: Lookup DestIP (IP address) at greynoise and append log-entry as an attribute.
Problem:
Rule never find any matches for the field DestIP - not even during rule simulation. Attached shows the situation. The simulator claims the field “DestIP” doesn’t match as far as I can tell. But it is clearly there if you loook at my screenshot.
The reason I know that it is the IF test failing, is that I tested by removing the IF test, replaced it with a value that always was true and then it appended something to the entry in the simulator.
Could there be I need to use another field instead of DestIP? Or is it something wrong with the formatting in the textfield?
On the test lookup-page inside graylog, it shows the expected result queried, so nothing wrong with lookups.
I’m using pfSense and logging to graylog. I used a cheating set from Lawrence Systems to get the input-values into DestIP and all the other values.
Rule Simulation (greynoise doesn’t appear as a tag unless I remove the IF test):
So first off, the rule simulator doesnt support json with multiple fields until 5.2 (which is in beta now) you can see this because your json is all showing in a single field called message. Because of this the rule could only do things with values from the message field, so yes what you have there will never work in the rule simulator.
Can you post a picture of what the original message looks like and what fields it has? Also as a general rule I try and keep all field names lowercase, because it can get way crazy if they are not.
I struggled a bit to find out how to do this. I already have nice view of messages, but exactly how to do this search/replace from the rule/rule simulator system, I have no clue.
