I am trying to drop HTTPD logs which we don’t need, with a pipeline. (graylog 2.5)
I have a Syslog UDP input with extractors, one of them extracts the IP where the connection comes from into an “ipv4_address” field.
So we have a lot of APIs and they are called from a lot of servers and producing a load of unnecessary logs, but these connections are coming from the same subnet, lets call it 10.10.10.0/24. I dont wanna drop all the api logs, because we need some of them(calls from different subnet)
So I tried to create a rule like this:
rule "drop from internal subnet" when cidr_match("10.10.10.0/24", to_ip($message.ipv4_address)) then drop_message(); end
It isn’t working. To be sure I created a second rule to check if the messsage has the extracted ipv4_address field.
rule "has ipv4 fields" when has_field("ipv4_address") then end
So now my pipeline is like:
pipeline "Drop internal subnet httpd logs" stage 1 match all rule "has ipv4 fields" rule "drop from internal subnet" end
Still no luck, what I am doing wrong?
Thanks in advance!