With pipeline rules you can do that for sure. I made a rule like this:
*rule "Security"* *when* * has_field("Channel") && (contains(to_string($message.Channel), "Security")) * *then* * set_field("tag", "Security");* *end* Add the rule to a pipeline, on stage 0, then connect the pipeline to any stream and it will tag your messages accordingly. Just have a look at the pipeline rules howto and use the cidr part. http://docs.graylog.org/en/2.1/pages/pipelines/rules.html based on this I would do: *rule "from firewall subnet" * *when * * cidr_match("10.10.10.0/24", to_ip($message.gl2_remote_ip)) * *then set_field("tag", "Firewall");end* Attached you can see how I tag some messages in the NXLog output section. In case you are using NXLog with sidecar-collector, simply add the code as a verbatim configuration to the given output. The tagging will happen on the clients - reducing the load on the server. On Tuesday, 31 January 2017 20:48:02 UTC+1, Joe G wrote: > > If I have numerous streams (i.e. one for linux, one for networking, etc), > can I tag them somehow based on the IP CIDR of the sending devices so I can > use a tag such as site or region to filter my traffic? > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/af278eb3-8271-4f29-8f2c-50fa45d13163%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
#this configuration deletes the computer account logins Exec if ($EventID == 4624 or $EventID == 4634 or $EventID == 4678) and ($EventType == "AUDIT_SUCCESS") \ { \ if $TargetUserName =~ /.\$/ { \ $raw_event = "Time:" + $EventTime + ", EventID:" + $EventID + ", LogonType:" + $LogonType + ", User:" + $TargetDomainName + "\\" + $TargetUserName + ", IPAddr:" + $IPAddress + "\n"; \ file_write("C:\\Program Files (x86)\\nxlog\data\\security_drop.log", $raw_event);\ drop(); \ } \ } Exec $tag = 'PCI-DSS'; #this configuration tags the PCI-DSS related messages Exec if $EventID == 1102 {$action = 'Log Clear';} Exec if $EventID == 4608 {$action = 'Windows Start';} Exec if $EventID == 4609 {$action = 'Windows Shutdown';} Exec if $EventID == 4610 {$action = 'An authentication package was loaded by the Local Security Authority.';} Exec if $EventID == 4611 {$action = 'A trusted logon process has registered with the Local Security Authority.';} Exec if $EventID == 4612 {$action = 'Internal resources allocated for the queuing of security event messages have been exhausted, leading to the loss of some security event messages.';} Exec if $EventID == 4614 {$action = 'A notification package was loaded by the Security Accounts Manager';} Exec if $EventID == 4616 {$action = 'Server time out of synchronization with Domain Controller';} Exec if $EventID == 4624 {$action = 'Successful Logon (on DC)';} Exec if $EventID == 4625 {$action = 'Failed Logon attempts – All users';} Exec if $EventID == 4634 {$action = 'logoff';} Exec if $EventID == 4647 {$action = 'logoff initiated';} Exec if $EventID == 4657 {$action = 'A registry value was modified(System Level Object)';} Exec if $EventID == 4660 {$action = 'Creation or deletion of files in folders containing Cardholder Data';} Exec if $EventID == 4663 {$action = 'All access to files containing Cardholder Data';} Exec if $EventID == 4670 {$action = 'Changes to access privileges or ownership on folders containing Cardholder Data';} Exec if $EventID == 4674 {$action = 'Privilege use (Failure only) for the following user groups: Accounts (User, service or process) with access to Cardholder Data';} Exec if $EventID == 4697 {$action = 'A service was installed in the system.';} Exec if $EventID == 4720 {$action = 'User Account Created';} Exec if $EventID == 4722 {$action = 'User Account Enabled';} Exec if $EventID == 4723 {$action = 'User changed own password';} Exec if $EventID == 4724 {$action = 'Password Reset';} Exec if $EventID == 4725 {$action = 'Disable Account';} Exec if $EventID == 4726 {$action = 'User Account Deleted';} Exec if $EventID == 4727 {$action = 'Global Security Group Created';} Exec if $EventID == 4728 {$action = 'Global Security Group Member added';} Exec if $EventID == 4729 {$action = 'Global Security Group Member removed';} Exec if $EventID == 4730 {$action = 'Global Security Group Deleted';} Exec if $EventID == 4731 {$action = 'Local Security Group Created';} Exec if $EventID == 4732 {$action = 'Local Security Group Member added';} Exec if $EventID == 4733 {$action = 'Local Security Group Member removed';} Exec if $EventID == 4734 {$action = 'Local Security Group Deleted';} Exec if $EventID == 4735 {$action = 'A local security group was changed';} Exec if $EventID == 4737 {$action = 'A global security group was changed.';} Exec if $EventID == 4738 {$action = 'User Account Changed (password set)';} Exec if $EventID == 4740 {$action = 'Account Lockouts – All users';} Exec if $EventID == 4741 {$action = 'A computer account was created.';} Exec if $EventID == 4742 {$action = 'A computer account was changed.';} Exec if $EventID == 4743 {$action = 'A computer account was deleted.';} Exec if $EventID == 4744 {$action = 'Local Distribution group created';} Exec if $EventID == 4745 {$action = 'Local Distribution group changed';} Exec if $EventID == 4746 {$action = 'Local Distribution group member added';} Exec if $EventID == 4747 {$action = 'Local Distribution group member removed';} Exec if $EventID == 4748 {$action = 'Local Distribution group deleted';} Exec if $EventID == 4749 {$action = 'Global Distribution Group created';} Exec if $EventID == 4750 {$action = 'Global Distribution Group changed';} Exec if $EventID == 4751 {$action = 'Global Distribution Group member added';} Exec if $EventID == 4752 {$action = 'Global Distribution Group member removed';} Exec if $EventID == 4753 {$action = 'Global Distribution Group deleted';} Exec if $EventID == 4754 {$action = 'A universal security group was created.';} Exec if $EventID == 4755 {$action = 'A universal security group was changed';} Exec if $EventID == 4756 {$action = 'A universal security group member added';} Exec if $EventID == 4757 {$action = 'A universal security group member removed';} Exec if $EventID == 4758 {$action = 'A security-enabled universal group was deleted.';} Exec if $EventID == 4759 {$action = 'Universal Deistribution Group Created';} Exec if $EventID == 4760 {$action = 'Universal Deistribution Group Changed';} Exec if $EventID == 4761 {$action = 'Universal Deistribution Group Member added';} Exec if $EventID == 4762 {$action = 'Universal Deistribution Group Member removed';} Exec if $EventID == 4763 {$action = 'Universal Deistribution Group Deleted';} Exec if $EventID == 4764 {$action = 'A group’s type was changed.';} Exec if $EventID == 4767 {$action = 'Account Lockout Release – All users';} Exec if $EventID == 4768 {$action = 'Authentication Request (logged on the DC)';} Exec if $EventID == 4771 {$action = 'Kerberos Pre-authentication failed';} Exec if $EventID == 4772 {$action = 'Kerberos Authentication ticket request failed';} Exec if $EventID == 4776 {$action = 'Account Logon (with a local Computer account)';} Exec if $EventID == 4778 {$action = 'Remote desktop Session Reconnected';} Exec if $EventID == 4779 {$action = 'Remote desktop Session Disconnected';} Exec if $EventID == 4781 {$action = 'Userr account name changed';} Exec if $EventID == 4800 {$action = 'Source:Microsoft-Windows-Security-Auditing,The workstation was locked.';} Exec if $EventID == 4801 {$action = 'Source:Microsoft-Windows-Security-Auditing,The workstation was unlocked.';} Exec if $EventID == 4802 {$action = 'Screen Saver invoked';} Exec if $EventID == 4803 {$action = 'Screen Saver dismissed';} Exec if $EventID == 5136 {$action = 'Source:Microsoft-Windows-Security-Auditing,A directory service object was modified.';} Exec if $EventID == 5137 {$action = 'A directory service object was created.';} Exec if $EventID == 5141 {$action = 'A directory service object was deleted.';} Exec if $EventID == 5143 {$action = 'All access to folders containing Cardholder Data';} Exec if $EventID == 5143 {$action = 'Changes to %SYSTEMROOT%\SYSTEM32 folder contents (System Level Object)';} Exec if $EventID == 5144 {$action = 'network share was deleted';} Exec if $EventID == 47239 {$action = 'Password Change';} Exec if $EventID == 6144 {$action = 'Application of group policies to a container';}