About stream rule match type


(Xuziheng1002) #1

I want to define a stream with following rules:
(field.source == “192.168.1.1” OR field.source == “192.168.2.2” ) AND field.file =="/var/log/abc.log"

But Graylog2.3 can not set the match type with ‘AND’ + ‘OR’ both. anyway to solve it?


(Jochen) #2

You can use pipeline rules to route messages into streams with the route_to_stream() function.


(Xuziheng1002) #3

I try that,but that is difficult to update and create by our CMDB-system dynamic.

so I am thinking ,how about write the rule like this:

field.source == hostname01|hostname02|hostname03 AND field.file =="/var/log/abc.log"

let multiple source rule be one rule with “|”(Regular expression), is this way OK??

if OK, what is the length of value?


(Xuziheng1002) #4

sorry,

what is the length of value?
-> what is the max-length of the value field.


(Jochen) #5

Yes, that would work if you used a regular expression stream rule.


(Xuziheng1002) #6

Do you know the max-length of field “value” in stream rule?


(Jochen) #7

It’s limited by the size of the POST requests your web browser supports and the maximum size of the String datatype in Java (2147483647 bytes or limited by the JVM heap size).

This being said, you should be aware that regular expressions are “expensive” to compute and to check, so you should keep it at a sane size.


(Xuziheng1002) #8

Thanks for replay.
You’re right, I should be aware the performance of Graylog-server.


(system) #9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.