Rule to set source from field

Graylog Central (peer support)
1

I am using sidecar and winlogbeat to forward our Windows Event Collector (VM126) logs to Graylog however all of the logs will be received as a single source and not the actual host that generated the log. I am trying to create a simple rule to set the source field from the winlogbeat_host_name field using this rule:

rule "rewrite source"
when
  to_string($message.source) == "VM126"
then
  set_field("source", "winlogbeat_host_name");
end

Both fields are in the log message so I assumed I could use them in the rule. Could someone point me in the right direction. Thanks.

2

Hello,

You cant use the same name for a field. Maybe something like this…

rule "rewrite source"
when
  to_string($message.source) == "VM126"
then
  set_field("new_source", "winlogbeat_host_name");
end
3

Thank you for the reply. The search page displays incoming messages that are identified by the source field. If I can’t modify this field how would I get the messages to show their real source and not all display the source as the event collector server?

4

From what you have showed above

Its not putting the FQDN in the source field. So I took a look at mine in the lab.
I notice I have a few fields for my Server.

image
image905Ă—697 22.8 KB

If you noticed the name of Host/source is just veeam
Now here is anothe beats even thou im using filebeat on a linux server its configured in our AD DC for a FQDN, this is what it looks like…

image
image816Ă—295 10.2 KB

You could also use lookup table to match “VM126” to it proper FQDN
then create an extractor attach to the input. just an idea

5

Unfortunately the source server could be any of the hundred hosts. The problem is technically the source is right. But VM126 collects logs from all of the windows servers in our environment and forwards them to Graylog.

I have three fields to work with. Source is always VM126 but winlogbeat_host_name and winlogbeat_computer_name show the correct originating server. I just need a way to set the source field to one of these two values.

6

I get now, Yeah if you have one source feeding GL " VM126" its only going to come up with that name.

7

@wgallt

I found something similar.

After looking over this, I did a quick scan on the forum. if your trying to split out the source field/s from VM126 you may need to use a another field or use the field winlogbeat_computer_name

The source field is normally for where the logs came from and it seams like your trying to separate them from all the clients. I think something like this

10 VM's ---> VM126 --> Graylog ---> Separated the 10 individual VM's again

1 Like
8

When I read your post right, you want to override the field source with the content of your field winlogbeat_host_name, right? Technically your source is VM126, but in real behind, there are multiple other systems.

rule "rewrite source"
when
  to_string($message.source) == "VM126"
then
  set_field("source", to_string($message.winlogbeat_host_name));
end
9

I’ve tried setting the source field but it doesn’t seem to allow me to. I decided to not overcomplicate it and just change the visible columns in the stream and make winlogbeat_host_name visible instead of source. Thanks for the help guys.

1 Like
10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.