Whois o DNS resolution on IP's inside the log message


(Roberto) #1

Dear people, I have Graylog v2.0.3 and I’m receiving a lot of log messages from several own servers.

These messages have different IP addresses inside, such as:

full_message

<190>Dec 12 16:14:21 proxy (squid): 1544642061.016 0 179.0.15.180 TAG_NONE/503 0 CONNECT pipe.skype.com:443 moliva HIER_NONE/- -

Is it possible to add a feature that let me execute whois or a DNS resolution if a put the mouse pointer on the IP, in this case 179.0.151.80 ???

Special thanks !!!


(Jan Doberstein) #2

if you update to the latest stable version (2.5.0 at the time of writing) you could use the DNS Lookup Adapter in a Decorator that will lookup the IP - when present and dispaly that as a seperate field.

How does that sound?


(Roberto) #3

Dear Jan, thanks for your response.

What do you mean when you say that DNS lookup will work when the IP is present in a separate field?

Because I have all the IP’s I need to work on inside the FULL MESSAGE field, mixed with some other data.

Can you add please ?

Thanks again!!!


(Anmol Sharma) #4

@robertito You need to use Graylog Pipeline to extract and set the IP address as separate field from the message field. And later on you can perform required actions on that field. Refer to the link below for reference:
http://docs.graylog.org/en/2.4/pages/pipelines/pipelines.html

OR

I am not very sure but you can use lookup function in pipeline to operate on the IP address and set the obtained result in a separate filed using pipeline set_field function.


(Jan Doberstein) #5

Because I have all the IP’s I need to work on inside the FULL MESSAGE field, mixed with some other data.

In a modern log solution you will like to seperate the information of a log message into seperate fields. For two reasons - be able to search FAST, to correlate easy and to enrich the message on specific parts.


(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.