Skip to main content
Help Center Logpoint Docs Idea Portal Logpoint.com

Hi,
I have a case where Analyst uses the management IP, however there is a NAT address on the client side. The device address configured in the logs provide client IPs.

So I am looking to add a field management_address that we will define based on the device_address
ie: when an event has device_address=192.168.1.1 add field management_address=10.10.10.10

I've looked into a few ways to do this. Enrichment source I didn't see a good way to go about it. Adding a custom normalizer would be possible, but would have to add a signature for every IP <:ALL>192.168.1.1<:ALL> and then add keyvalue management_address=10.10.10.10
Label package would also be do-able and easier than norm signatures, but that would put the new IP in a label, rather than within the normalized event.

Wondering if anyone has come up with any other solutions or ideas.

Greetings!

You could use dynamic enrichment for the above mentioned use case. You can create an enrichment source from a CSV where there is a  mapping of the device_address with its respective management address. 
Something like:
device_address, management address
192.168.1.1, 10.10.10.10
192.168.1.2, 10.10.10.20
..... and so on

You can then configure an enrichment policy with following entries;
key_present: device_ip
enrichment source: <Uploaded_CSV>
source: device_ip, operation: equals, event_key:device_ip

This will add management IP as a enriched field for the device IP if it equals the respective management IP in the uploaded CSV

Reply


Terms & ConditionsCookie settings