Q1: I can see extra fields are added as expected, but can everyone suggest a way for me to validate it is working properly?
Q2: I assume the v3.x version require no further configuration beyond those listed in the links above. If I am not wrong, do the intelligence sources update automatically? Or how can I check which sources they are using now?
Graylog Version: 3.2.4
Installed via Ubuntu package
I also followed the same article. I am running graylog v3.1 however. All IPs are returning threat_indicated “false” when I know some of these should be returning as true.
It’s interesting because I really can’t find any documentation on the threat intelligence plugin in the actual documentation. Instead there are these random links with instructions. I am wondering if this is geared more towards enterprise users only?
I’m definitely beginning to think this article is missing some critical instructions. In my logs I am seeing:
[LookupTableService] Lookup table does not exist
It makes sense actually. I remember setting this up thinking “how can this work without a lookup table”? I’ve previously setup the geoip MaxMind database before and I should have known this does not work without a lookup table. I think that is our problem @bbfunde
