Dropping messages using Pipelines

Hi all,

I’m new to graylog and am currently attempting to drop level 7 logs (linux syslogs) before they are written to an index file.

Here is a summary of the setup:

  • Log files with a level of greater than 5 (syslog 6 and 7) are directed to non-default stream “syslogs 6 and 7”.
  • A pipeline “Drop Messages” has been created and connected to the stream “syslogs 6 and 7”
  • … in the “Drop Messages” pipeline, a rule has been created called “Drop Syslog Messages” with the following code
    `rule “Drop Syslog Messages”
    (to_string($message.level) == “7”)

However it looks like the rule has no effect, i.e. I can see level 7 messages being logged by the Graylog server.

  • Is it possible the rule is not correct, even though I’m not getting syntax error markers appearing when typing the rule ?

  • Are there diagnostic tools in graylog or a way to see why the rule is not taking effect ?



1 Like

Hi ,

Your rule is correct , may be problem with $message.level . Check $message.level contains the value 7 or not.

I would go with the following rule

rule “Drop Syslog Messages”
   has_field("level") AND
   ( to_string($message.level) == “7” OR
     lowercase(to_string($message.level)) == "debug" )

This way if first checks if the field level is given and after that compare that with the number or the text that might be in that field.

Thanks for the tip. I had no issues applying the rule you’ve recommended.

However, level 7 syslog messages are still appearing when following logs in real-time. I think my issue in the connections or relationships between the pipeline, rules and stream

To be specific, the pipeline “Drop Messages” is connected to the Stream “Syslogs 6 and 7” which contains the rule “Drop Syslog Message”

  • Are there troubleshooting techniques in Graylog to see why the rule is not taking effect ?
1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.