Am trying to drop a message from a pipeline. According to pipline simulator the message is being caught and should be dropped. However, I still see the message in my search results and see that it is being indexed. Message I want to drop contains text :
“Client 00:17:23:a4:0b:73 may be using an incorrect PSK”
My rule is:
rule “remove WLC Client PSK Spam”
when
has_field (“message”) &&
contains(to_string($message.message), “Client 00:17:23:a4:0b:73 may be using an incorrect PSK”)
then
drop_message();
end
Pipline processing is enabled on my graylog server. Any thing else I should check?
Also, the input that this message comes in on is a udp syslog input. However, in the simulator if I choose the syslog codec, I cannot get a message to load. Not sure if that is part of my problem. What would the correct syntax be in the raw message field of the simulator for a syslog message?
Pipeline simulator requires full syslog message not only message if you choose syslog message codec, so please add complete syslog message like: <PRI>syslog message <165>*Jun 05 14:45:26.511: %DOT1X-3-PSK_CONFIG_ERR: 1x_ptsm.c:516 Client 00:1c:bf:c6:09:a8 may be using an incorrect PSK
Yup, changed the order and all works. it appears that before I could evaulate the message field properly, I had to process it first with message filter chain. Is there any downside to ordering my processing with filters before piplines? I am assuming that the default of Pipeline before filter is for a reason?
