Am trying to drop a message from a pipeline. According to pipline simulator the message is being caught and should be dropped. However, I still see the message in my search results and see that it is being indexed. Message I want to drop contains text :
“Client 00:17:23:a4:0b:73 may be using an incorrect PSK”
My rule is:
rule “remove WLC Client PSK Spam”
has_field (“message”) &&
contains(to_string($message.message), “Client 00:17:23:a4:0b:73 may be using an incorrect PSK”)
Here is the simulation Screenshot:
Pipline processing is enabled on my graylog server. Any thing else I should check?
Also, the input that this message comes in on is a udp syslog input. However, in the simulator if I choose the syslog codec, I cannot get a message to load. Not sure if that is part of my problem. What would the correct syntax be in the raw message field of the simulator for a syslog message?