Drools failing to drop all logs


(Anant) #1

Hi,

We have creates the below rule to drop unwanted logs from reaching the logger but from the observations it has come to our notice that many of the logs are still reaching the logger and are visible int the search. I am sharing the rule below

rule "Drop Cisco Session Fields"
 
when
 
m : Message(  getField("BuiltOutTCPConn") == "Built outbound TCP connection" ||  getField("BuiltOutUDPConn") == "Built outbound UDP connection"  ||  getField("TDOutTCPConn") == "Teardown TCP connection ||  getField("TDOutUDPConn") == "Teardown UDP connection" ||  getField("BuiltTCPTrans") == "Built dynamic TCP translation" ||  getField("BuiltUDPTrans" == "Built dynamic UDP translation") ||  getField("TDTCPTrans") == "Teardown dynamic TCP translation" ||  getField("TDUDPTrans") == "Teardown dynamic UDP translation" )
 
then
 
m.setFilterOut(true);
 
 log.info("[Drop Logs rule fired] rule fired: {}", m);
 
end

This rule is dropping max of the logs as the “log.info(”[Drop Logs rule fired] rule fired: {}", m);" is writing thousands of line to the “graylog-server-log” file, indicating the logs are being dropped. but still we are getting thousands of logs in the Logger.
We are expecting around 600 to 700 eps of the categories that we wish to drop mentioned in the rule above. And Graylog in total is receiving around 2400 t0 2700 eps(events per second).

Q1. How do we resolve this?
Q2. Is it because of the number of events that the drool is failing to drops every log. As when tried with lesser eps it works as expected dropping every log.
Q3.If the answer to the above question is yes then how can we increase the capacity of Graylog to process more eps.
Q4. Is Graylogs capacity to process the logs depends on the heap size and will increasing the size solve this issue? Currently the heap size is set to max 4gb.

Please suggest.

Thanks in Advance,
Anant


(Jochen) #2

Which version of Graylog are you using?


(Anant) #3

Version 2.0. Sorry I missed that


(Jochen) #4

Please upgrade to the latest stable version of Graylog and check if the problem still exists.