Unknown function error

[renjith1234]

While creating a rule using threat intel it is showing error unknown function. I am using graylog server version 2.2.3-1

[joschi]

@renjith1234 How did you install and configure Graylog? How did you download, install, and configure the Threat Intelligence plugin? Do you see the Threat Intelligence plugin in the log output of your Graylog node on startup?

[renjith1234]

Graylog server is a single node installation. Threat plugin installed using debian package. Plugin is loading at the time server starts.I can see that in the log. Also in graylog dashboard under configuration section I have enabled every lookups ,that is OTX,tor,whois,etc. But when I create rule its showing error.

[renjith1234]

Screenshot: Plugin configured

[joschi]

@renjith1234 Please post the rule which triggers the error. Also please post the content of the "Installed plugins" section on the System / Nodes / Details page.

Graylog server is a single node installation.

Please provide more details. Is this a manual install, an installation from the official packages (DEB or RPM), or an OVA? What's in your Graylog configuration file?

[renjith1234]

This is a manual basic installation of graylog server following the installation guide for ubuntu server in graylog documentation. Nothing changed in configuration file other than the required changes as per the installation guide.

[renjith1234]

Installed plugins

[joschi]

@renjith1234 You're using an old version of the Pipeline Processor plugin which might be incompatible with your version of Graylog or the version of the Threat Intelligence plugin.

Please post the rule which triggers the error.

[renjith1234]

Pipeline processor plugin came with the graylog latest version 2.2.3-1 installation.

Rule:

rule "Threat Intel Lookup SourceAddress" when has_field("SourceAddress") then let src_addr_intel = threat_intel_lookup_ip(to_string($message.SourceAddress), "SourceAddress"); set_fields(src_addr_intel); end

[joschi]

Pipeline processor plugin came with the graylog latest version 2.2.3-1 installation.

That's not true, at least for any of the official release artifacts (tar balls, OS packages (DEB/RPM), Docker images, OVA/AMI).

Check the plugin directory of your Graylog node for some stale files.

[renjith1234]

Installed jar is showing version 2.2.3 but in the details it is 2.2.0

[joschi]

@renjith1234 Nope, it's using the version from the Maven POM, i. e. "2.2.3", so there's definitely something fishy with your plugins.

• https://github.com/Graylog2/graylog-plugin-pipeline-processor/blob/2.2.3/plugin/src/main/java/org/graylog/plugins/pipelineprocessor/PipelineProcessorMetaData.java#L55
• https://github.com/Graylog2/graylog-plugin-pipeline-processor/blob/2.2.3/plugin/src/main/resources/org.graylog.plugins.graylog-plugin-pipeline-processor/graylog-plugin.properties#L2
• https://github.com/Graylog2/graylog-plugin-pipeline-processor/blob/2.2.3/plugin/pom.xml#L16

[joschi]

I also failed to reproduce the issue with a fresh installation of Graylog 2.2.3 with the Threat Intelligence plugin 0.10.0, so I'm closing this issue now.

We are using GitHub issues for tracking bugs in Graylog itself, but this doesn't look like one. Please post this issue to our discussion forum or join the #graylog channel on freenode IRC.

Thank you!

[renjith1234]

Thanks for the support

[renjith1234]

Identified the cause of the issue. Threat intel plugin is not compatible with CEF input plugin version 1.2.0 .

I tried with the previous version of CEF plugin and now it is working.