Another pipleline question

Hello dear community,
after now four hours of scratching my head I thought it’s time to ask…

I am fairly new to Graylog so perhaps I just misunderstood things.
I have a Syslog Input which is filled by various linux servers. All messages do appear in “All messages” stream. OI now created another stream “All Syslog” where I put messages in that belong to a specific computer (do not look at the names, it’s just a test). This works too. Whenever I click on the specific stream in the Streams-Page the messages just for that server are shown.
I now create a pipeline with a simple rule as stage 0:rule “create_syslog_fields”
when
has_field(“message”)
then
debug(“Pipeline Create Syslog-Test1”);
end

I connect the created pipeline with the Stream “All Syslog” and nothing happens (no Debug message in the log), If I connect the pipeline to the stream “All messages” it works as expected.
What am I doing wrong?

2. Describe your environment:

  • OS Information:
    OpenSuse 15.3

  • Package Version:
    Graylog 4.2
    Elasticsearch 7.10.2

  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?
see text above

4. How can the community help?
I need help understanding why the messages from the stream “All SYSLOG” are not parsed in the pipeline

I forgot: The streams configuration has a rule:
gl_source_input must match input Linux-Server Input (Syslog UDP: 6205f301d3dde703302d8f7a)

How are you routing the specific server messages into the All Syslog stream?

Also, what is your message Processor Configuration set up - look for it under System-> configurations. People are often caught with having the “pipeline Processor” on the wrong side of the “Message Filter Chain”. You likely want hte “Message Filter Chain” to run before (have a lower number) the 'Pipeline Processor"

1 Like

Hello and thank you for the reply.
I created a stream with the stream rule of "must match input of “Linux-Server input”, as mentioned above.
As I said, the messages do appear in the stream (when using search).
As for the chain of processing, it is AWS Instance Name lookup (unused by me), followed by GeoIP Resolver, followed by Pipeline Processor, followed by Message Filter chain.
-----
And that did the trick.Changing the order so that Message filter chain is before Pipeline processing does now invoke the pipeline just as I want it.
Thank you for that pointer
Cheers

2 Likes

Great! Mark it as the answer for future searchers please! :smiley:

Done that just now :slight_smile:

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.