With pipeline rules you can do that for sure.
I made a rule like this:
*rule "Security"*
*when*
* has_field("Channel") && (contains(to_string($message.Channel),
"Security")) *
*then*
* set_field("tag", "Security");*
*end*
Add the rule to a pipeline, on stage 0, then connect the pipeline to any
stream and it will tag your messages accordingly.
Just have a look at the pipeline rules howto and use the cidr part.
http://docs.graylog.org/en/2.1/pages/pipelines/rules.html
based on this I would do:
*rule "from firewall subnet" *
*when *
* cidr_match("10.10.10.0/24", to_ip($message.gl2_remote_ip)) *
*then set_field("tag", "Firewall");end*
Attached you can see how I tag some messages in the NXLog output section.
In case you are using NXLog with sidecar-collector, simply add the code as
a verbatim configuration to the given output.
The tagging will happen on the clients - reducing the load on the server.
On Tuesday, 31 January 2017 20:48:02 UTC+1, Joe G wrote:
>
> If I have numerous streams (i.e. one for linux, one for networking, etc),
> can I tag them somehow based on the IP CIDR of the sending devices so I can
> use a tag such as site or region to filter my traffic?
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/af278eb3-8271-4f29-8f2c-50fa45d13163%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
#this configuration deletes the computer account logins
Exec if ($EventID == 4624 or $EventID == 4634 or $EventID == 4678) and
($EventType == "AUDIT_SUCCESS") \
{ \
if $TargetUserName =~ /.\$/ { \
$raw_event = "Time:" + $EventTime + ", EventID:" +
$EventID + ", LogonType:" + $LogonType + ", User:" + $TargetDomainName + "\\" +
$TargetUserName + ", IPAddr:" + $IPAddress + "\n"; \
file_write("C:\\Program Files
(x86)\\nxlog\data\\security_drop.log", $raw_event);\
drop(); \
} \
}
Exec $tag = 'PCI-DSS';
#this configuration tags the PCI-DSS related messages
Exec if $EventID == 1102 {$action = 'Log Clear';}
Exec if $EventID == 4608 {$action = 'Windows Start';}
Exec if $EventID == 4609 {$action = 'Windows Shutdown';}
Exec if $EventID == 4610 {$action = 'An authentication package was
loaded by the Local Security Authority.';}
Exec if $EventID == 4611 {$action = 'A trusted logon process has
registered with the Local Security Authority.';}
Exec if $EventID == 4612 {$action = 'Internal resources allocated for
the queuing of security event messages have been exhausted, leading to the loss
of some security event messages.';}
Exec if $EventID == 4614 {$action = 'A notification package was loaded
by the Security Accounts Manager';}
Exec if $EventID == 4616 {$action = 'Server time out of synchronization
with Domain Controller';}
Exec if $EventID == 4624 {$action = 'Successful Logon (on DC)';}
Exec if $EventID == 4625 {$action = 'Failed Logon attempts – All
users';}
Exec if $EventID == 4634 {$action = 'logoff';}
Exec if $EventID == 4647 {$action = 'logoff initiated';}
Exec if $EventID == 4657 {$action = 'A registry value was
modified(System Level Object)';}
Exec if $EventID == 4660 {$action = 'Creation or deletion of files in
folders containing Cardholder Data';}
Exec if $EventID == 4663 {$action = 'All access to files containing
Cardholder Data';}
Exec if $EventID == 4670 {$action = 'Changes to access privileges or
ownership on folders containing Cardholder Data';}
Exec if $EventID == 4674 {$action = 'Privilege use (Failure only) for
the following user groups: Accounts (User, service or process) with access to
Cardholder Data';}
Exec if $EventID == 4697 {$action = 'A service was installed in the
system.';}
Exec if $EventID == 4720 {$action = 'User Account Created';}
Exec if $EventID == 4722 {$action = 'User Account Enabled';}
Exec if $EventID == 4723 {$action = 'User changed own password';}
Exec if $EventID == 4724 {$action = 'Password Reset';}
Exec if $EventID == 4725 {$action = 'Disable Account';}
Exec if $EventID == 4726 {$action = 'User Account Deleted';}
Exec if $EventID == 4727 {$action = 'Global Security Group Created';}
Exec if $EventID == 4728 {$action = 'Global Security Group Member
added';}
Exec if $EventID == 4729 {$action = 'Global Security Group Member
removed';}
Exec if $EventID == 4730 {$action = 'Global Security Group Deleted';}
Exec if $EventID == 4731 {$action = 'Local Security Group Created';}
Exec if $EventID == 4732 {$action = 'Local Security Group Member
added';}
Exec if $EventID == 4733 {$action = 'Local Security Group Member
removed';}
Exec if $EventID == 4734 {$action = 'Local Security Group Deleted';}
Exec if $EventID == 4735 {$action = 'A local security group was
changed';}
Exec if $EventID == 4737 {$action = 'A global security group was
changed.';}
Exec if $EventID == 4738 {$action = 'User Account Changed (password
set)';}
Exec if $EventID == 4740 {$action = 'Account Lockouts – All users';}
Exec if $EventID == 4741 {$action = 'A computer account was created.';}
Exec if $EventID == 4742 {$action = 'A computer account was changed.';}
Exec if $EventID == 4743 {$action = 'A computer account was deleted.';}
Exec if $EventID == 4744 {$action = 'Local Distribution group created';}
Exec if $EventID == 4745 {$action = 'Local Distribution group changed';}
Exec if $EventID == 4746 {$action = 'Local Distribution group member
added';}
Exec if $EventID == 4747 {$action = 'Local Distribution group member
removed';}
Exec if $EventID == 4748 {$action = 'Local Distribution group deleted';}
Exec if $EventID == 4749 {$action = 'Global Distribution Group
created';}
Exec if $EventID == 4750 {$action = 'Global Distribution Group
changed';}
Exec if $EventID == 4751 {$action = 'Global Distribution Group member
added';}
Exec if $EventID == 4752 {$action = 'Global Distribution Group member
removed';}
Exec if $EventID == 4753 {$action = 'Global Distribution Group
deleted';}
Exec if $EventID == 4754 {$action = 'A universal security group was
created.';}
Exec if $EventID == 4755 {$action = 'A universal security group was
changed';}
Exec if $EventID == 4756 {$action = 'A universal security group member
added';}
Exec if $EventID == 4757 {$action = 'A universal security group member
removed';}
Exec if $EventID == 4758 {$action = 'A security-enabled universal group
was deleted.';}
Exec if $EventID == 4759 {$action = 'Universal Deistribution Group
Created';}
Exec if $EventID == 4760 {$action = 'Universal Deistribution Group
Changed';}
Exec if $EventID == 4761 {$action = 'Universal Deistribution Group
Member added';}
Exec if $EventID == 4762 {$action = 'Universal Deistribution Group
Member removed';}
Exec if $EventID == 4763 {$action = 'Universal Deistribution Group
Deleted';}
Exec if $EventID == 4764 {$action = 'A group’s type was changed.';}
Exec if $EventID == 4767 {$action = 'Account Lockout Release – All
users';}
Exec if $EventID == 4768 {$action = 'Authentication Request (logged on
the DC)';}
Exec if $EventID == 4771 {$action = 'Kerberos Pre-authentication
failed';}
Exec if $EventID == 4772 {$action = 'Kerberos Authentication ticket
request failed';}
Exec if $EventID == 4776 {$action = 'Account Logon (with a local
Computer account)';}
Exec if $EventID == 4778 {$action = 'Remote desktop Session
Reconnected';}
Exec if $EventID == 4779 {$action = 'Remote desktop Session
Disconnected';}
Exec if $EventID == 4781 {$action = 'Userr account name changed';}
Exec if $EventID == 4800 {$action =
'Source:Microsoft-Windows-Security-Auditing,The workstation was locked.';}
Exec if $EventID == 4801 {$action =
'Source:Microsoft-Windows-Security-Auditing,The workstation was unlocked.';}
Exec if $EventID == 4802 {$action = 'Screen Saver invoked';}
Exec if $EventID == 4803 {$action = 'Screen Saver dismissed';}
Exec if $EventID == 5136 {$action =
'Source:Microsoft-Windows-Security-Auditing,A directory service object was
modified.';}
Exec if $EventID == 5137 {$action = 'A directory service object was
created.';}
Exec if $EventID == 5141 {$action = 'A directory service object was
deleted.';}
Exec if $EventID == 5143 {$action = 'All access to folders containing
Cardholder Data';}
Exec if $EventID == 5143 {$action = 'Changes to %SYSTEMROOT%\SYSTEM32
folder contents (System Level Object)';}
Exec if $EventID == 5144 {$action = 'network share was deleted';}
Exec if $EventID == 47239 {$action = 'Password Change';}
Exec if $EventID == 6144 {$action = 'Application of group policies to a
container';}
