I am fairly new to Graylog and I am trying to get the Threat Intelligence Plugin to analyze the
SRC section of such messages:
ubnt kernel: [WAN_LOCAL-default-D]IN=eth0 OUT= MAC=REDACTED SRC=220.127.116.11 DST=REDACTED LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=16557 PROTO=TCP SPT=59574 DPT=7845 WINDOW=1024 RES=0x00 SYN URGP=0
How would I write this rule? I am familiar with selecting a pipeline etc. but can’t get the new fields to show up as described in this
tutorial so I assume my rule is not correct.
Could you explain in greater details about your environment?
To help you further please take a look at this post.
This platform is made with love for community discussions on the open source tool Graylog, it components and usage.
Here’s a Graylog support-inspired template (thank you,
@aaronsachs ) that’ll get responses:
Description of your problem
<!-- Use this section to describe the problem that you're encountering. Please include any screenshots or recordings of the problem you're running into.-->
Description of steps you’ve taken to attempt to solve the issue
<!-- Use this section to provide detail…
Sorry for giving more details as I didn’t think they were needed since I have a full working installation of the latest version of Graylog under Ubuntu. Plug-in is active and ready. Just not sure how to write the rule to inspect the SRC section of that message.
You have Graylog version 4.2 installed I assume.
If this is correct, then you may want to look at these post.
I am trying to configure threat intel plugin in Graylog 4.1.2-1. But I am getting following errors in log file. I have posted my configuration in detail below. Can anyone tell me if I am missing anything?
2021-11-01T00:50:07.021+05:00 WARN [LookupTableService] Lookup table does not exist
2021-11-01T00:50:07.036+05:00 WARN [LookupTableService] Lookup table does not exist
2021-11-01T00:50:07.038+05:00 WARN [LookupTableService] Lookup table does not exist
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.