I’m new to graylog and am currently attempting to drop level 7 logs (linux syslogs) before they are written to an index file.
Here is a summary of the setup:
Log files with a level of greater than 5 (syslog 6 and 7) are directed to non-default stream “syslogs 6 and 7”.
A pipeline “Drop Messages” has been created and connected to the stream “syslogs 6 and 7”
… in the “Drop Messages” pipeline, a rule has been created called “Drop Syslog Messages” with the following code
`rule “Drop Syslog Messages”
when
(to_string($message.level) == “7”)
then
drop_message();
end’
However it looks like the rule has no effect, i.e. I can see level 7 messages being logged by the Graylog server.
Is it possible the rule is not correct, even though I’m not getting syntax error markers appearing when typing the rule ?
Are there diagnostic tools in graylog or a way to see why the rule is not taking effect ?
rule “Drop Syslog Messages”
when
has_field("level") AND
( to_string($message.level) == “7” OR
lowercase(to_string($message.level)) == "debug" )
then
drop_message();
end
This way if first checks if the field level is given and after that compare that with the number or the text that might be in that field.
Thanks for the tip. I had no issues applying the rule you’ve recommended.
However, level 7 syslog messages are still appearing when following logs in real-time. I think my issue in the connections or relationships between the pipeline, rules and stream
To be specific, the pipeline “Drop Messages” is connected to the Stream “Syslogs 6 and 7” which contains the rule “Drop Syslog Message”
Are there troubleshooting techniques in Graylog to see why the rule is not taking effect ?