Hello,
I am fairly new to Graylog and I am trying to get the Threat Intelligence Plugin to analyze the SRC section of such messages:
ubnt kernel: [WAN_LOCAL-default-D]IN=eth0 OUT= MAC=REDACTED SRC=185.191.34.207 DST=REDACTED LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=16557 PROTO=TCP SPT=59574 DPT=7845 WINDOW=1024 RES=0x00 SYN URGP=0
How would I write this rule? I am familiar with selecting a pipeline etc. but can’t get the new fields to show up as described in this tutorial so I assume my rule is not correct.
Thank you.
gsmith
January 4, 2022, 12:03am
2
Hello,
Could you explain in greater details about your environment?
This platform is made with love for community discussions on the open source tool Graylog, it components and usage.
Here’s a Graylog support-inspired template (thank you, @aaronsachs ) that’ll get responses:
Sorry for giving more details as I didn’t think they were needed since I have a full working installation of the latest version of Graylog under Ubuntu. Plug-in is active and ready. Just not sure how to write the rule to inspect the SRC section of that message.
gsmith
January 5, 2022, 2:30am
4
Hello,
You have Graylog version 4.2 installed I assume.
system
January 19, 2022, 2:31am
5
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
