Help Center Logpoint Docs Idea Portal Logpoint.com
Solved

I want to add a field management_address to its respective device_address..

  • 4 May 2021
  • 1 reply
  • 69 views
Basudev Raut
Rank
Userlevel 3
Badge +7

Hi,
I have a case where Analyst uses the management IP, however there is a NAT address on the client side. The device address configured in the logs provide client IPs.

So I am looking to add a field management_address that we will define based on the device_address
ie: when an event has device_address=192.168.1.1 add field management_address=10.10.10.10

I've looked into a few ways to do this. Enrichment source I didn't see a good way to go about it. Adding a custom normalizer would be possible, but would have to add a signature for every IP <:ALL>192.168.1.1<:ALL> and then add keyvalue management_address=10.10.10.10
Label package would also be do-able and easier than norm signatures, but that would put the new IP in a label, rather than within the normalized event.

Wondering if anyone has come up with any other solutions or ideas.

icon

Best answer by Rupsan Shrestha 4 May 2021, 08:23

View original
Best Regards, Basudev

1 reply

Rupsan Shrestha
Rank
Userlevel 2
Badge +3

Greetings!

You could use dynamic enrichment for the above mentioned use case. You can create an enrichment source from a CSV where there is a  mapping of the device_address with its respective management address. 
Something like:
device_address, management address
192.168.1.1, 10.10.10.10
192.168.1.2, 10.10.10.20
..... and so on

You can then configure an enrichment policy with following entries;
key_present: device_ip
enrichment source: <Uploaded_CSV>
source: device_ip, operation: equals, event_key:device_ip

This will add management IP as a enriched field for the device IP if it equals the respective management IP in the uploaded CSV

Best Regards, Rupsan

Reply


Terms & ConditionsCookie settings