Drop message with rules.drl : Problem

Graylog Central (peer support)
1

Hi,

I would like to set up a rule that automatically deletes some messages.
For that I enable in server.conf drools rule file.

In my file rules.drl I put :

import org.graylog2.plugin.Message
import java.util.regex.Matcher
import java.util.regex.Pattern

rule "delete message '/sandbox/files_d/'"
  when
        m : Message( getField("message") matches "^sandbox_file_d.*" )
  then
        m.setFilterOut(true);
end

But when I search this message (sandbox_file_d) I always the log :sleepy:

This is an message exemple that I want to drop :

Client_IP
1.1.1.1

Elapsed_ms
0

Host
firewall-server

Short_message
GET /sandbox/files_d/ENT-MARNE_d/sandbox_file_d/:ENT-TEST:hosted-content::logon_TEST_v1.css_1476697711079_17_92748_1 HTTP/1.1

UserAgent
Mozilla/5.0 (Linux; Android 5.0.2; SM-T550 Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Safari/537.36

VS_Name
/ENT-TEST/VS-ENTTEST

facility
FW_access_log

httpStatus
200 OK

level
-1

message
{"facility":"FW_access_log","Host":"firewall-server", "Short_message":"GET /sandbox/files_d/ENT-TEST_d/sandbox_file_d/:ENT-TEST:hosted-content::logon_TEST_v1.css_1476697711079_17_92748_1 HTTP/1.1", "httpStatus":"200 OK",  "UserAgent":"Mozilla/5.0 (Linux; Android 5.0.2; SM-T550 Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Safari/537.36", "Client_IP":"1.1.1.1", "User":"", "respBytes":"2600", "Elapsed_ms":"0", "VS_Name":"/ENT-TEST/VS-ENTTEST", "Pool_Name":"", "Server_IP":"" }

respBytes
2600

source
192.168.253.2

timestamp
2017-11-30T15:30:24.738Z
2

There was a similar question recently in the GitHub issues:

Also, I want to remind everyone of this:

3

Ok thanks for your answer :slight_smile:

I succeeded add a pipelinbe and rule for drop message when the filed “Host” is equal to “firewall”.

But I would like to add another rule for drop all messages that contain the worl jpg, png and gif in “Short_message” field.

rule "drop jpg"
when
has_field(“Short_message”) && to_string($message.Short_message) == "^jpg.*"
then
drop_message();
end

But it doesn’t work :frowning:

4

Does the “Short_message” field exist?

5

Yes of course.
I find solution :slight_smile:

rule "drop f5-server"
when
has_field(“Host”) && to_string($message.Host) == "f5-server"
then
drop_message();
end

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.