Graylog Community

Dropping some log messages with specific field value

Graylog Central (peer support)

Mbuyukkarakas (Mehmet Ali Buyukkarakas) June 6, 2017, 10:35am 1

Dear all,

I would like to drop some syslog messages before wring to indexes.
Some log records contains particular IP addresses and I want to write a rule like

IF source=“xxx” AND IF ip=172.1.1.1 THEN drop.

I cant find a good resource which explains this. Graylog documentation about pipelines wasnt good enough.

Thank you.
Mehmet

derPhlipsi (Philipp Ruland) June 6, 2017, 11:44am 2

Hey @Mbuyukkarakas,

you actually can just use a pipeline to do that.

rule "dropOnIP"
when
  $message.source = "xxx" AND
  $message.ip = "127.1.1.1"
then
  drop_message();
end

You can either use multiple rules for every IP you want to drop on, or if you are willing to go onto the newest snapshot you can use the new lookup function explained here:

Greetings - Phil

Mbuyukkarakas (Mehmet Ali Buyukkarakas) June 6, 2017, 12:16pm 3

Phil, thank you. I will try all of these and will write back here.

Regards.

Mbuyukkarakas (Mehmet Ali Buyukkarakas) June 6, 2017, 2:22pm 4

Bad news. I couldnt use this config.
The raw log is an apache access log. I used some grok patterns to parse the IP addresses.
What I need is to write something like this

if log_source_server = XXX and IP=y.y.y.y then drop.

I need this because I want to drop most of logs which are about local IP addresses. I just need the public IP’s.
I remarked the local IP’s are one or two different but %90 of logs are about these IP’s. Basically I need to drop them.

Thank you.

derPhlipsi (Philipp Ruland) June 6, 2017, 3:02pm 5

Hey,

is your source field the hostname of your server? If yes, then use the field gl2_remote_ip instead.

Greetings - Phil

Mbuyukkarakas (Mehmet Ali Buyukkarakas) June 7, 2017, 8:36am 6

Phil,

The source field is not the graylog server. One of my linux servers is sending the logs.

So,

graylog srv : 192.168.2.10
web srv . : 192.168.2.11
The IP that I want to discard : 192.168.7.10

IF source = 192.168.2.11 AND IP=192.168.7.10 then discard.

Exactly what I need.

Thank you.

derPhlipsi (Philipp Ruland) June 7, 2017, 1:15pm 7

Hey,

gl2_remote_ip is the value of the remote ip that send the message to Graylog, so it is your web server ip (192.168.2.11). So, from my understanding this is what you need:

rule "dropOnIP"
when
  $message.gl2_remote_ip = "192.168.2.11" AND
  $message.ip = "192.168.7.10" // I assume that you extract the ip-to-be-dropped-on into the field ip
then
  drop_message();
end

Add this rule to a pipeline and connect that pipeline to a stream the message is running through, that should work.

If I get access to my environment I can test this, but this will not be before saturday…

Greetings - Phil

1 Like

system (system) Closed June 21, 2017, 1:15pm 8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views	Activity
Pipeline Rule - Drop messages with field containing IP Graylog Central (peer support) pipeline-rules , debuggingpl	7	3011	March 26, 2021
How to stop all messages from a specific ip/source? Graylog Central (peer support)	9	732	July 12, 2022
Exclude source from graylog Graylog Central (peer support) pipeline-rules	12	1944	February 7, 2019
Pipeline rule not droping message from stream Graylog Central (peer support) pipeline-rules	12	443	June 28, 2023
Unable to Drop syslog messages based on message contents Graylog Central (peer support)	12	983	September 4, 2022