I am having an issue with getting the Graylog Threat Intelligence plug-in
and the associated pipelines setup properly. I have created a pipeline,
added a rule, and linked it to the default stream. The pipeline metric
shows messages going through it, but it is not creating the new fields
based on the threat intel lookups and it is not clear to me where the issue
is (pipleine, rule, plugin, etc.....)
Here is the rule:
rule "Threat Intel Lookup SourceAddress"
when
has_field("SourceAddress")
then
let src_addr_intel =
threat_intel_lookup_ip(to_string($message.SourceAddress), "SourceAddress");
set_fields(src_addr_intel);
end
The pipleline has a single stage with just the rule above in it. The
pipeline connection is using the default stream.
Any assistance or suggestions that people could provide to help
troubleshoot this would be greatly appreciated.
Thanks,
Karl
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/8c6a637b-ad15-46cf-b562-410a4239932f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
