Nevermind, I found the source if the problem, I had to change the Message
Processors Configuration so that the Message Filter Chain was before the
Pipeline Processor
On Wednesday, February 1, 2017 at 9:39:50 AM UTC-7, Karl Bundy wrote:
>
> I am having an issue with getting the Graylog Threat Intelligence plug-in
> and the associated pipelines setup properly. I have created a pipeline,
> added a rule, and linked it to the default stream. The pipeline metric
> shows messages going through it, but it is not creating the new fields
> based on the threat intel lookups and it is not clear to me where the issue
> is (pipleine, rule, plugin, etc.....)
>
> Here is the rule:
>
> rule "Threat Intel Lookup SourceAddress"
> when
> has_field("SourceAddress")
> then
> let src_addr_intel =
> threat_intel_lookup_ip(to_string($message.SourceAddress), "SourceAddress");
> set_fields(src_addr_intel);
> end
>
> The pipleline has a single stage with just the rule above in it. The
> pipeline connection is using the default stream.
>
> Any assistance or suggestions that people could provide to help
> troubleshoot this would be greatly appreciated.
>
> Thanks,
>
> Karl
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/ab0e67b9-10f8-4657-af2d-d81274205b31%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
