Drop Incoming Message Containing a Specific Word

Graylog Central (peer support)
1

I have apache logs coming into Graylog. In these logs is a log entry message coming in every 5 seconds and it has the word OPTIONS in it. I want to drop these message and not index them. I created a pipeline and a rule, but doesn’t appear to be working.

I can do a simple search: message:OPTIONS and I see the messages. So I created a rule and assigned to the stream:

rule “Drop Apache Noise”
when
contains(to_string($message.message), “OPTIONS”, false)
then
drop_message();
end

Doesn’t work, still got messages coming in and getting indexed.
Am I close?

2

have you checked the processing line under system-> configuration -> Message Processors Configuration

3

pipeline and message processing filters are both active.

4

and the order?
the message processor tags the streams on the message

5

pipeline is 1 and filter is 2 and AWS is 3 and GEOIP is 4

6

What stream is your pipeline connected to?
Since pipeline happens before filter, try connecting it to “all messages”. You may want to add a few more conditions in the “when” section not to alter other logs by mistake.

7

AHHH, that was it. I attached the pipeline to ALL MESSAGES and wallah. Working now.

Yes, now that it is working, I will fine tweak with some more when conditions.

thanks for the help.

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.