16
22.1 Legacy Series / Re: Syslog, Graylog, not human readable logs?
« on: May 28, 2022, 06:45:48 pm »
This is the rule I use in the pipe for trapping firewall blocks
rule "Reverse Dns: Firewall src_ip"
when
has_field("src_ip") && is_not_null("src_ip")
then
// Declare a variable that will pull the value from
// the source address field for use in the lookup.
let ts = to_string($message.src_ip);
// Declare a variable that looks up the value stored in the
// lookup table specified matching the value found in the previous variable.
let lv = lookup_value(lookup_table:"reverse_dns", key:ts);
// Set field with name specified and value returned from the previous lookup.
set_field("src_hostname", lv);
You will need a lookup table to do the reverse dns from the ip address.
let lv = lookup_value(lookup_table:"reverse_dns", key:ts);
BTW, you may eventually be using GeoIP databases (MaxMind and others are available!!) to get geospatial data,
the source ip (src_ip) used is confusing, and really should be the search_ip (ie could be a source or destination ip depending on what you are doing)
Also in your post there is a reference to influxdb, there is an graylog output to influxdb V1, which is not the latest, its now V2, its access and query mechanism has changed considerably. It is possible to use a V1 connection with the old query mechanism, it is documented on the influxdb page, it does work, though one expects it to disappear in the future, so all my influxdb's are V2
rule "Reverse Dns: Firewall src_ip"
when
has_field("src_ip") && is_not_null("src_ip")
then
// Declare a variable that will pull the value from
// the source address field for use in the lookup.
let ts = to_string($message.src_ip);
// Declare a variable that looks up the value stored in the
// lookup table specified matching the value found in the previous variable.
let lv = lookup_value(lookup_table:"reverse_dns", key:ts);
// Set field with name specified and value returned from the previous lookup.
set_field("src_hostname", lv);
You will need a lookup table to do the reverse dns from the ip address.
let lv = lookup_value(lookup_table:"reverse_dns", key:ts);
BTW, you may eventually be using GeoIP databases (MaxMind and others are available!!) to get geospatial data,
the source ip (src_ip) used is confusing, and really should be the search_ip (ie could be a source or destination ip depending on what you are doing)
Also in your post there is a reference to influxdb, there is an graylog output to influxdb V1, which is not the latest, its now V2, its access and query mechanism has changed considerably. It is possible to use a V1 connection with the old query mechanism, it is documented on the influxdb page, it does work, though one expects it to disappear in the future, so all my influxdb's are V2