Drop message with rules.drl : Problem

Groucou · November 30, 2017, 3:39pm

Hi,

I would like to set up a rule that automatically deletes some messages.
For that I enable in server.conf drools rule file.

In my file rules.drl I put :

import org.graylog2.plugin.Message
import java.util.regex.Matcher
import java.util.regex.Pattern

rule "delete message '/sandbox/files_d/'"
  when
        m : Message( getField("message") matches "^sandbox_file_d.*" )
  then
        m.setFilterOut(true);
end

But when I search this message (sandbox_file_d) I always the log

This is an message exemple that I want to drop :

Client_IP
1.1.1.1

Elapsed_ms
0

Host
firewall-server

Short_message
GET /sandbox/files_d/ENT-MARNE_d/sandbox_file_d/:ENT-TEST:hosted-content::logon_TEST_v1.css_1476697711079_17_92748_1 HTTP/1.1

UserAgent
Mozilla/5.0 (Linux; Android 5.0.2; SM-T550 Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Safari/537.36

VS_Name
/ENT-TEST/VS-ENTTEST

facility
FW_access_log

httpStatus
200 OK

level
-1

message
{"facility":"FW_access_log","Host":"firewall-server", "Short_message":"GET /sandbox/files_d/ENT-TEST_d/sandbox_file_d/:ENT-TEST:hosted-content::logon_TEST_v1.css_1476697711079_17_92748_1 HTTP/1.1", "httpStatus":"200 OK",  "UserAgent":"Mozilla/5.0 (Linux; Android 5.0.2; SM-T550 Build/LRX22G) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.84 Safari/537.36", "Client_IP":"1.1.1.1", "User":"", "respBytes":"2600", "Elapsed_ms":"0", "VS_Name":"/ENT-TEST/VS-ENTTEST", "Pool_Name":"", "Server_IP":"" }

respBytes
2600

source
192.168.253.2

timestamp
2017-11-30T15:30:24.738Z

jochen · November 30, 2017, 4:09pm

There was a similar question recently in the GitHub issues:

github.com/Graylog2/graylog2-server

drools, blacklisting, syslog, DHCP

opened 05:27PM - 24 Nov 17 UTC

closed 08:03AM - 27 Nov 17 UTC

vti-uplata

Hello. I've tried to blacklist messages that come from syslog to input SYSLOG…-TCP and contain "DHCP". Here's input ![02_graylog_syslog_tcp_input](https://user-images.githubusercontent.com/28108696/33219641-199f0d92-d14c-11e7-94c4-97c6e0ee59dd.png) Here's one of such messages ![01-dhcp_graylog](https://user-images.githubusercontent.com/28108696/33219606-e958777c-d14b-11e7-9a6f-7b3dfd5b9168.png) Here's the rule import org.graylog2.plugin.Message import java.util.regex.Matcher import java.util.regex.Pattern rule "Drop DHCP" when m : Message( message matches "^DHCP.*(.|\n|\r)*" ) then System.out.println("DEBUG: Blacklisting DHCP message."); m.setFilterOut(true); end service graylog restart 2017-11-24T18:18:05.339+02:00 INFO [RulesEngineProvider] Using rules: /etc/graylog/server/rules.drl I've tried both variants - "^DHCP.*" and "^DHCP.*(.|\n|\r)*" and new messages arrived to graylog and were not filtered out. Graylog v2.3.2+3df951e Ubuntu 14.04.5 LTS Linux grayloguser 4.4.0-96-generic x86_64 ava(TM) SE Runtime Environment (build 1.8.0_151-b12)

Also, I want to remind everyone of this:

Groucou · December 1, 2017, 9:14am

Ok thanks for your answer

I succeeded add a pipelinbe and rule for drop message when the filed “Host” is equal to “firewall”.

But I would like to add another rule for drop all messages that contain the worl jpg, png and gif in “Short_message” field.

rule "drop jpg"
when
has_field(“Short_message”) && to_string($message.Short_message) == "^jpg.*"
then
drop_message();
end

But it doesn’t work

jochen · December 1, 2017, 10:03am

Does the “Short_message” field exist?

Groucou · December 1, 2017, 10:24am

Yes of course.
I find solution

rule "drop f5-server"
when
has_field(“Host”) && to_string($message.Host) == "f5-server"
then
drop_message();
end

system · December 15, 2017, 10:24am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.