Stumped - Finding a function in rules

tmacgbay · January 11, 2021, 2:42pm

I ma having an issue tracking down what is causing this error and was hoping you had an idea

My Graylog server log is filling with the following error:

2021-01-11T08:54:10.623-05:00 ERROR [PrivateNetLookupFunction] Could not run private net lookup for IP [-]: '-' is not an IP string literal.

The only place I an find where I am using in_private_net() (that I could find) is in the following function (there are a few more like this built the same):

rule "DNS-session_src_ip-internal"
when
    has_field("session_src_ip")                                     &&
    is_ip(to_ip($message.session_src_ip))                           &&
    (
        in_private_net(to_string($message.session_src_ip ))         ||
        cidr_match("43.43.43.0/24",  to_ip($message.session_src_ip )) 
     )

then
    let IP2Name = lookup_value("Int_DNS_table", $message.session_src_ip );
    set_field("internal_wkst", IP2Name); 
    set_field("internal_ip", $message.session_src_ip);

end

I did a manual search of all my rules for in_private_net() or even a regex_replace() I am not using extractors. Threat Intelligence is disabled until I get to it.

It would be nice if there were an easy way to search through all rules for every existence of a function.

Anyone have a good idea on how to track this one down?

cawfehman · January 11, 2021, 10:22pm

Not a super sexy way to do it, but after some digging through some MongoDB documentation, I think you could possibly do the following, assuming you have access to the mongo instance housing your graylog config:

> use graylog
> var myCursor = db.pipeline_processor_rules.find( );
> myCursor.forEach(printjson);

That will screen dump each of your pipeline rules in JSON format, and then you can just parse them. I’m sure there’s a more elegant way, but I’m not MongoDB expert.

shoothub · January 12, 2021, 9:01am

Or create content pack with all pipeline rules and search in exported json file.

tmacgbay · January 12, 2021, 3:24pm

Well dammit - 60% of questions I ask get answered with something I should have thought of… Both good solutions! I am marking @cawfehman for doing some digging - Thanks guys!

cawfehman · January 12, 2021, 3:38pm

Glad to help… I had the benefit of distance from the problem. Sometimes we need to step away for a few and let our brain get out of it’s own way. That’s also why another pair of eyes is always good.

Topic		Replies	Views
Finding deprecated funtions in pipeline rules Graylog Central (peer support)	4	149	June 24, 2025
Still my pipeline is not working - And need help badly Graylog Central (peer support) pipeline-rules , debuggingpl	7	603	October 14, 2019
Issue with AzureAD Pipeline Rule - Client IP for Map Graylog Central (peer support) pipeline-rules , route-to-streampl	11	819	December 14, 2022
Subnet Search Query Graylog Central (peer support)	20	14671	December 11, 2017
Invoke a graylog lookup from a custom function Graylog Central (peer support)	6	399	August 21, 2020

Stumped - Finding a function in rules

Related topics