Configuration of streams

Cruciani_Elliot · July 1, 2020, 7:50am

Hello everyone,

I would like to configure a stream so that it necessarily matches with a rule (the source of this stream), and that it necessarily matches with one of the other two rules that I have set up (because I would like that only two types of messages appear). But I don’t know how to do it since either the stream must match with all the rules or it is enough that only one of the three match rules, which does not suit me either. Does anyone know how to do that?

Thank you

shoothub · July 1, 2020, 8:10am

Pipeline rules could help, check function route_to_stream
https://docs.graylog.org/en/3.3/pages/pipelines/functions.html#route-to-stream

Cruciani_Elliot · July 1, 2020, 8:15am

thank you @shoothub, but I don’t understand where I have to put this function (file?)

shoothub · July 1, 2020, 8:21am

Check docs how to use pipeline in general:
https://docs.graylog.org/en/3.3/pages/pipelines/pipelines.html

route_to_stream is pipeline function, you can use to forward to stream

Pipeline rule can help you, because you have more options in condition AND/OR in when section…
For example:

rule "stream routing"
when
  has_field("A") AND has_field("B") OR has_field("C")
then
    route_to_stream(name: "some name", remove_from_default: true);
end

Cruciani_Elliot · July 1, 2020, 12:51pm

@shoothub, I tried this:
In System -> pipeline I created a pipeline with inside
A first rule to take every messages from the server:

rule "stream routing"
when
    has_field ("Server03")
then
    route_to_stream (name: "Syslog commands logs", remove_from_default: true);
end

then an other rule to specify what I want to filter in the Server03 messages:

rule "msg"
when
    has_field ("key=") OR has_field ("cwd=")
then
    route_to_stream (name: "Syslog commands logs");
end

The 2 rules are in the same stage, but nothing more appears in the stream

shoothub · July 1, 2020, 9:58am

I don’t think, that fields names you use in condition are correct:

"key="

"cwd="

It’s exactly field names extracted in graylog?

Cruciani_Elliot · July 1, 2020, 12:06pm

@shoothub Not really, it’s something that is present in the two field messages of the logs I want to filter. My goal here is to say "all logs that come from Serveur03 and that have “key=” or “cwd=” in the field messages go into the stream “Syslog commands logs”.

shoothub · July 1, 2020, 12:55pm

If you want to find fields directly in message field, you can use this pipeline rule:

rule "msg"
when
    contains(to_string($message.message), "key=") OR 
    contains(to_string($message.message), "cwd=")
then
    route_to_stream(name: "Syslog commands logs");
end

Cruciani_Elliot · July 1, 2020, 12:54pm

Thanks a lot @shoothub

I followed your advices to write this:

rule "Server03_root_commands"
when
    contains(to_string($message.source), "Server03") AND
    (contains(to_string($message.message), "key=") OR 
    contains(to_string($message.message), "cwd="))
then
    route_to_stream (name: "Syslog commands logs", remove_from_default: true);
end

And it’s perfectly work

system · July 15, 2020, 12:55pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.