In worst case you can use 'IpAddress' + 'Match' + 'Regexp' in the stream
rules - so the pipeline rule can be just a tagging (without cidr match).
In case the regexp already matched the messages just filter to a common
filed like 'has_field("Severity")' in the when part or write 'true'.
Regexp can be something like these:
192\.168\.100\..+
192\.168\.150\..+
192\.168\.200\..+
Regexp howto:
https://technet.microsoft.com/en-us/library/dd197583%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
Regexp tester:
https://regex101.com
Although some forum member mentioned, that using regexp matching in streams
are overkill for the server....
On Wednesday, 1 February 2017 16:28:21 UTC+1, Joe G wrote:
>
> Thanks, unfortunately, all my sites are getting the same value. I created
> a connection/stream with three pipelines called site A, site B, and Site C.
> In each pipeline is a single stage 0 rule specific to each the site, to
> match the subnet of that site. In my site A rule, I have:
> rule "Site a"
> when
> cidr_match("192.168.100.0/24
> <http://www.google.com/url?q=http%3A%2F%2F192.168.100.0%2F24&sa=D&sntz=1&usg=AFQjCNHlkFhcnPOpOTFcKu25Js0xJPlK8g>".
>
> to_ip($message.gl2_remote_ip))
> then
> set_field("cidr_site", "site a");
> end
>
> In my site B rule, I have:
> rule "Site b"
> when
> cidr_match("192.168.150.0/24". to_ip($message.gl2_remote_ip))
> then
> set_field("cidr_site", "site b");
> end
>
> In my site C rule, I have:
> rule "Site c"
> when
> cidr_match("192.168.200.0/24". to_ip($message.gl2_remote_ip))
> then
> set_field("cidr_site", "site c");
> end
>
> I have looked in elasticsearch and the gl_remote_ip is correct but assign
> the incorrect value for cidr_site of "site A" although it should match the
> cidr for their respective sites.
>
>
>
>
> On Wednesday, February 1, 2017 at 4:20:27 AM UTC-5, Peter Dudas wrote:
>>
>> With pipeline rules you can do that for sure.
>>
>> I made a rule like this:
>>
>> *rule "Security"*
>> *when*
>> * has_field("Channel") && (contains(to_string($message.Channel),
>> "Security")) *
>> *then*
>> * set_field("tag", "Security");*
>> *end*
>>
>> Add the rule to a pipeline, on stage 0, then connect the pipeline to any
>> stream and it will tag your messages accordingly.
>>
>> Just have a look at the pipeline rules howto and use the cidr part.
>> http://docs.graylog.org/en/2.1/pages/pipelines/rules.html
>>
>> based on this I would do:
>>
>> *rule "from firewall subnet" *
>> *when *
>> * cidr_match("10.10.10.0/24 <http://10.10.10.0/24>",
>> to_ip($message.gl2_remote_ip)) *
>>
>>
>> *then set_field("tag", "Firewall");end*
>>
>> Attached you can see how I tag some messages in the NXLog output section.
>> In case you are using NXLog with sidecar-collector, simply add the code as
>> a verbatim configuration to the given output.
>> The tagging will happen on the clients - reducing the load on the server.
>>
>> On Tuesday, 31 January 2017 20:48:02 UTC+1, Joe G wrote:
>>>
>>> If I have numerous streams (i.e. one for linux, one for networking,
>>> etc), can I tag them somehow based on the IP CIDR of the sending devices so
>>> I can use a tag such as site or region to filter my traffic?
>>>
>>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/707c3314-c7df-41db-a98d-4589418efd83%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
