Thanks, unfortunately, all my sites are getting the same value. I created a
connection/stream with three pipelines called site A, site B, and Site C.
In each pipeline is a single stage 0 rule specific to each the site, to
match the subnet of that site. In my site A rule, I have:
rule "Site a"
when
cidr_match("192.168.100.0/24". to_ip($message.gl2_remote_ip))
then
set_field("cidr_site", "site a");
end
In my site B rule, I have:
rule "Site b"
when
cidr_match("192.168.150.0/24". to_ip($message.gl2_remote_ip))
then
set_field("cidr_site", "site b");
end
In my site C rule, I have:
rule "Site c"
when
cidr_match("192.168.200.0/24". to_ip($message.gl2_remote_ip))
then
set_field("cidr_site", "site c");
end
I have looked in elasticsearch and the gl_remote_ip is correct but assign
the incorrect value for cidr_site of "site A" although it should match the
cidr for their respective sites.
On Wednesday, February 1, 2017 at 4:20:27 AM UTC-5, Peter Dudas wrote:
>
> With pipeline rules you can do that for sure.
>
> I made a rule like this:
>
> *rule "Security"*
> *when*
> * has_field("Channel") && (contains(to_string($message.Channel),
> "Security")) *
> *then*
> * set_field("tag", "Security");*
> *end*
>
> Add the rule to a pipeline, on stage 0, then connect the pipeline to any
> stream and it will tag your messages accordingly.
>
> Just have a look at the pipeline rules howto and use the cidr part.
> http://docs.graylog.org/en/2.1/pages/pipelines/rules.html
>
> based on this I would do:
>
> *rule "from firewall subnet" *
> *when *
> * cidr_match("10.10.10.0/24 <http://10.10.10.0/24>",
> to_ip($message.gl2_remote_ip)) *
>
>
> *then set_field("tag", "Firewall");end*
>
> Attached you can see how I tag some messages in the NXLog output section.
> In case you are using NXLog with sidecar-collector, simply add the code as
> a verbatim configuration to the given output.
> The tagging will happen on the clients - reducing the load on the server.
>
> On Tuesday, 31 January 2017 20:48:02 UTC+1, Joe G wrote:
>>
>> If I have numerous streams (i.e. one for linux, one for networking, etc),
>> can I tag them somehow based on the IP CIDR of the sending devices so I can
>> use a tag such as site or region to filter my traffic?
>>
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/97020ddb-43c2-4a2d-9f0b-cf2f395e3fd4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
