Please have a look if the IP of the remote side is in the 'gl2_remote_ip'
field in the search.
If not, just simply use the name of the field where the IP is.
In my case (windows security logs through NXLog Gelf TCP output) it is in
the 'IpAddress' field, so I would use 'to_ip($message.IpAddress))' to match
the content of this field.
Hope this helps - I was able to do what I wanted with the rules.
On Wednesday, 1 February 2017 16:28:21 UTC+1, Joe G wrote:
>
> Thanks, unfortunately, all my sites are getting the same value. I created
> a connection/stream with three pipelines called site A, site B, and Site C.
> In each pipeline is a single stage 0 rule specific to each the site, to
> match the subnet of that site. In my site A rule, I have:
> rule "Site a"
> when
> cidr_match("192.168.100.0/24". to_ip($message.gl2_remote_ip))
> then
> set_field("cidr_site", "site a");
> end
>
> In my site B rule, I have:
> rule "Site b"
> when
> cidr_match("192.168.150.0/24". to_ip($message.gl2_remote_ip))
> then
> set_field("cidr_site", "site b");
> end
>
> In my site C rule, I have:
> rule "Site c"
> when
> cidr_match("192.168.200.0/24". to_ip($message.gl2_remote_ip))
> then
> set_field("cidr_site", "site c");
> end
>
> I have looked in elasticsearch and the gl_remote_ip is correct but assign
> the incorrect value for cidr_site of "site A" although it should match the
> cidr for their respective sites.
>
>
>
>
> On Wednesday, February 1, 2017 at 4:20:27 AM UTC-5, Peter Dudas wrote:
>>
>> With pipeline rules you can do that for sure.
>>
>> I made a rule like this:
>>
>> *rule "Security"*
>> *when*
>> * has_field("Channel") && (contains(to_string($message.Channel),
>> "Security")) *
>> *then*
>> * set_field("tag", "Security");*
>> *end*
>>
>> Add the rule to a pipeline, on stage 0, then connect the pipeline to any
>> stream and it will tag your messages accordingly.
>>
>> Just have a look at the pipeline rules howto and use the cidr part.
>> http://docs.graylog.org/en/2.1/pages/pipelines/rules.html
>>
>> based on this I would do:
>>
>> *rule "from firewall subnet" *
>> *when *
>> * cidr_match("10.10.10.0/24 <http://10.10.10.0/24>",
>> to_ip($message.gl2_remote_ip)) *
>>
>>
>> *then set_field("tag", "Firewall");end*
>>
>> Attached you can see how I tag some messages in the NXLog output section.
>> In case you are using NXLog with sidecar-collector, simply add the code as
>> a verbatim configuration to the given output.
>> The tagging will happen on the clients - reducing the load on the server.
>>
>> On Tuesday, 31 January 2017 20:48:02 UTC+1, Joe G wrote:
>>>
>>> If I have numerous streams (i.e. one for linux, one for networking,
>>> etc), can I tag them somehow based on the IP CIDR of the sending devices so
>>> I can use a tag such as site or region to filter my traffic?
>>>
>>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/7bb138f4-e9d4-456b-8c0b-fd1e72b9d59a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
