Back to listing

GrayLog Stream Lookup (SLookup) Pipeline Processor function

Plugin SLookup 2.0.0 - Multiple Return Fields

Stream Lookup function for GrayLog2 Pipeline Processor

billmurrin
free!

Published

17 Jan 00:59

Last Push

17 Jan 01:06

Marketplace Rating

Discussion

3 Comments

Your Rating

Please sign in to rate this add-on.

Comments

KnowMoreIT about 1 month ago

I think I figured out the problem. Since the messages come in exactly at the same time, it may not be in the search results yet when the pipeline runs. I got it working in the simulator by adjusting the timestamp because I was thinking it was going off the source timestamp for some reason and it is actually the relative time from the time you run the simulator. This plugin is going to be very useful though. Thank you!

KnowMoreIT about 1 month ago

I wasn't able to get this to work. I was trying to use it for looking up data from a NPS server for failed logins (unauthorized Mac Addresses). The problem is NPS has one log for the computer trying which includes the switch port number and the failed login afterwards contains the failure.

rule "NPS Server - Get Port Information"
when
has_field("Acct-Session-Id") == true && has_field("NAS-Port-Id") == false
then
let getport = slookup("5cb4f45fd4f7df652d151e12", "Acct-Session-Id", "Acct-Session-Id", ["NAS-Port-Id"], "600", "desc");
set_field("NAS-Port-ID", getport);
end

So this hsould be getting the NAS-Port-Id value from the stream 5cb4f45fd4f7df652d151e12 using the the search query: Acct-Session-Id: but it always returns no match found (even in the simulator).

This is a fantastic idea though.

helpitorg about 1 year ago

Hello Billmurrin,
thank you very much for this great plugin. It did a great job for me.I was ordered to find a solution to analyse the logs of a pfsense-guest-wlan of a bigger environment regarding which voucher is linked to which ip-address. The pfsense-filterlogs only shows the source and destination ip and the mapping of IPs is only shown in a different log-file. Thanks to your "slookup" I managed that graylog adds a field "IP_MAPS_VOUCHER" to the filterlog-messages which shows the voucher a SourceIP is actually connected to. I hope that I will find the time as soon as possible to present my solution to the graylog and the git-hub community soon. I can't believe that your plugin is not yet one of graylogs default ones. I nearly was about to try to solve it witch an ELK-stack. Your plugin should be a must for future releases.
Thanks a lot!
helpitorg

Please sign in to comment.

Back to listing