With pipeline rules you can do that for sure.
I made a rule like this:
*rule "Security"*
*when*
* has_field("Channel") && (contains(to_string($message.Channel),
"Security")) *
*then*
* set_field("tag", "Security");*
*end*
Add the rule to a pipeline, on stage 0, then connect the pipeline to any
stream and it will tag your messages accordingly.
Just have a look at the pipeline rules howto and use the cidr part.
http://docs.graylog.org/en/2.1/pages/pipelines/rules.html
based on this I would do:
*rule "from firewall subnet" *
*when *
* cidr_match("10.10.10.0/24", to_ip($message.gl2_remote_ip)) *
*then set_field("tag", "Firewall");end*
Attached you can see how I tag some messages in the NXLog output section.
In case you are using NXLog with sidecar-collector, simply add the code as
a verbatim configuration to the given output.
The tagging will happen on the clients - reducing the load on the server.
On Tuesday, 31 January 2017 20:48:02 UTC+1, Joe G wrote:
>
> If I have numerous streams (i.e. one for linux, one for networking, etc),
> can I tag them somehow based on the IP CIDR of the sending devices so I can
> use a tag such as site or region to filter my traffic?
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/af278eb3-8271-4f29-8f2c-50fa45d13163%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
#this configuration deletes the computer account logins
Exec if ($EventID == 4624 or $EventID == 4634 or $EventID == 4678) and
($EventType == "AUDIT_SUCCESS") \
{ \
if $TargetUserName =~ /.\$/ { \
$raw_event = "Time:" + $EventTime + ", EventID:" +
$EventID + ", LogonType:" + $LogonType + ", User:" + $TargetDomainName + "\\" +
$TargetUserName + ", IPAddr:" + $IPAddress + "\n"; \
file_write("C:\\Program Files
(x86)\\nxlog\data\\security_drop.log", $raw_event);\
drop(); \
} \
}
Exec $tag = 'PCI-DSS';
#this configuration tags the PCI-DSS related messages
Exec if $EventID == 1102 {$action = 'Log Clear';}
Exec if $EventID == 4608 {$action = 'Windows Start';}
Exec if $EventID == 4609 {$action = 'Windows Shutdown';}
Exec if $EventID == 4610 {$action = 'An authentication package was
loaded by the Local Security Authority.';}
Exec if $EventID == 4611 {$action = 'A trusted logon process has
registered with the Local Security Authority.';}
Exec if $EventID == 4612 {$action = 'Internal resources allocated for
the queuing of security event messages have been exhausted, leading to the loss
of some security event messages.';}
Exec if $EventID == 4614 {$action = 'A notification package was loaded
by the Security Accounts Manager';}
Exec if $EventID == 4616 {$action = 'Server time out of synchronization
with Domain Controller';}
Exec if $EventID == 4624 {$action = 'Successful Logon (on DC)';}
Exec if $EventID == 4625 {$action = 'Failed Logon attempts – All
users';}
Exec if $EventID == 4634 {$action = 'logoff';}
Exec if $EventID == 4647 {$action = 'logoff initiated';}
Exec if $EventID == 4657 {$action = 'A registry value was
modified(System Level Object)';}
Exec if $EventID == 4660 {$action = 'Creation or deletion of files in
folders containing Cardholder Data';}
Exec if $EventID == 4663 {$action = 'All access to files containing
Cardholder Data';}
Exec if $EventID == 4670 {$action = 'Changes to access privileges or
ownership on folders containing Cardholder Data';}
Exec if $EventID == 4674 {$action = 'Privilege use (Failure only) for
the following user groups: Accounts (User, service or process) with access to
Cardholder Data';}
Exec if $EventID == 4697 {$action = 'A service was installed in the
system.';}
Exec if $EventID == 4720 {$action = 'User Account Created';}
Exec if $EventID == 4722 {$action = 'User Account Enabled';}
Exec if $EventID == 4723 {$action = 'User changed own password';}
Exec if $EventID == 4724 {$action = 'Password Reset';}
Exec if $EventID == 4725 {$action = 'Disable Account';}
Exec if $EventID == 4726 {$action = 'User Account Deleted';}
Exec if $EventID == 4727 {$action = 'Global Security Group Created';}
Exec if $EventID == 4728 {$action = 'Global Security Group Member
added';}
Exec if $EventID == 4729 {$action = 'Global Security Group Member
removed';}
Exec if $EventID == 4730 {$action = 'Global Security Group Deleted';}
Exec if $EventID == 4731 {$action = 'Local Security Group Created';}
Exec if $EventID == 4732 {$action = 'Local Security Group Member
added';}
Exec if $EventID == 4733 {$action = 'Local Security Group Member
removed';}
Exec if $EventID == 4734 {$action = 'Local Security Group Deleted';}
Exec if $EventID == 4735 {$action = 'A local security group was
changed';}
Exec if $EventID == 4737 {$action = 'A global security group was
changed.';}
Exec if $EventID == 4738 {$action = 'User Account Changed (password
set)';}
Exec if $EventID == 4740 {$action = 'Account Lockouts – All users';}
Exec if $EventID == 4741 {$action = 'A computer account was created.';}
Exec if $EventID == 4742 {$action = 'A computer account was changed.';}
Exec if $EventID == 4743 {$action = 'A computer account was deleted.';}
Exec if $EventID == 4744 {$action = 'Local Distribution group created';}
Exec if $EventID == 4745 {$action = 'Local Distribution group changed';}
Exec if $EventID == 4746 {$action = 'Local Distribution group member
added';}
Exec if $EventID == 4747 {$action = 'Local Distribution group member
removed';}
Exec if $EventID == 4748 {$action = 'Local Distribution group deleted';}
Exec if $EventID == 4749 {$action = 'Global Distribution Group
created';}
Exec if $EventID == 4750 {$action = 'Global Distribution Group
changed';}
Exec if $EventID == 4751 {$action = 'Global Distribution Group member
added';}
Exec if $EventID == 4752 {$action = 'Global Distribution Group member
removed';}
Exec if $EventID == 4753 {$action = 'Global Distribution Group
deleted';}
Exec if $EventID == 4754 {$action = 'A universal security group was
created.';}
Exec if $EventID == 4755 {$action = 'A universal security group was
changed';}
Exec if $EventID == 4756 {$action = 'A universal security group member
added';}
Exec if $EventID == 4757 {$action = 'A universal security group member
removed';}
Exec if $EventID == 4758 {$action = 'A security-enabled universal group
was deleted.';}
Exec if $EventID == 4759 {$action = 'Universal Deistribution Group
Created';}
Exec if $EventID == 4760 {$action = 'Universal Deistribution Group
Changed';}
Exec if $EventID == 4761 {$action = 'Universal Deistribution Group
Member added';}
Exec if $EventID == 4762 {$action = 'Universal Deistribution Group
Member removed';}
Exec if $EventID == 4763 {$action = 'Universal Deistribution Group
Deleted';}
Exec if $EventID == 4764 {$action = 'A group’s type was changed.';}
Exec if $EventID == 4767 {$action = 'Account Lockout Release – All
users';}
Exec if $EventID == 4768 {$action = 'Authentication Request (logged on
the DC)';}
Exec if $EventID == 4771 {$action = 'Kerberos Pre-authentication
failed';}
Exec if $EventID == 4772 {$action = 'Kerberos Authentication ticket
request failed';}
Exec if $EventID == 4776 {$action = 'Account Logon (with a local
Computer account)';}
Exec if $EventID == 4778 {$action = 'Remote desktop Session
Reconnected';}
Exec if $EventID == 4779 {$action = 'Remote desktop Session
Disconnected';}
Exec if $EventID == 4781 {$action = 'Userr account name changed';}
Exec if $EventID == 4800 {$action =
'Source:Microsoft-Windows-Security-Auditing,The workstation was locked.';}
Exec if $EventID == 4801 {$action =
'Source:Microsoft-Windows-Security-Auditing,The workstation was unlocked.';}
Exec if $EventID == 4802 {$action = 'Screen Saver invoked';}
Exec if $EventID == 4803 {$action = 'Screen Saver dismissed';}
Exec if $EventID == 5136 {$action =
'Source:Microsoft-Windows-Security-Auditing,A directory service object was
modified.';}
Exec if $EventID == 5137 {$action = 'A directory service object was
created.';}
Exec if $EventID == 5141 {$action = 'A directory service object was
deleted.';}
Exec if $EventID == 5143 {$action = 'All access to folders containing
Cardholder Data';}
Exec if $EventID == 5143 {$action = 'Changes to %SYSTEMROOT%\SYSTEM32
folder contents (System Level Object)';}
Exec if $EventID == 5144 {$action = 'network share was deleted';}
Exec if $EventID == 47239 {$action = 'Password Change';}
Exec if $EventID == 6144 {$action = 'Application of group policies to a
container';}
