Dropping some log messages with specific field value


(Mehmet Ali Buyukkarakas) #1

Dear all,

I would like to drop some syslog messages before wring to indexes.
Some log records contains particular IP addresses and I want to write a rule like

IF source=“xxx” AND IF ip=172.1.1.1 THEN drop.

I cant find a good resource which explains this. Graylog documentation about pipelines wasnt good enough.

Thank you.
Mehmet


(Philipp Ruland) #2

Hey @Mbuyukkarakas,

you actually can just use a pipeline to do that.

rule "dropOnIP"
when
  $message.source = "xxx" AND
  $message.ip = "127.1.1.1"
then
  drop_message();
end

You can either use multiple rules for every IP you want to drop on, or if you are willing to go onto the newest snapshot you can use the new lookup function explained here:

Greetings - Phil


(Mehmet Ali Buyukkarakas) #3

Phil, thank you. I will try all of these and will write back here.

Regards.


(Mehmet Ali Buyukkarakas) #4

Bad news. I couldnt use this config.
The raw log is an apache access log. I used some grok patterns to parse the IP addresses.
What I need is to write something like this

if log_source_server = XXX and IP=y.y.y.y then drop.

I need this because I want to drop most of logs which are about local IP addresses. I just need the public IP’s.
I remarked the local IP’s are one or two different but %90 of logs are about these IP’s. Basically I need to drop them.

Thank you.


(Philipp Ruland) #5

Hey,

is your source field the hostname of your server? If yes, then use the field gl2_remote_ip instead.

Greetings - Phil


(Mehmet Ali Buyukkarakas) #6

Phil,

The source field is not the graylog server. One of my linux servers is sending the logs.

So,

graylog srv : 192.168.2.10
web srv . : 192.168.2.11
The IP that I want to discard : 192.168.7.10

IF source = 192.168.2.11 AND IP=192.168.7.10 then discard.

Exactly what I need.

Thank you.


(Philipp Ruland) #7

Hey,

gl2_remote_ip is the value of the remote ip that send the message to Graylog, so it is your web server ip (192.168.2.11). So, from my understanding this is what you need:

rule "dropOnIP"
when
  $message.gl2_remote_ip = "192.168.2.11" AND
  $message.ip = "192.168.7.10" // I assume that you extract the ip-to-be-dropped-on into the field ip
then
  drop_message();
end

Add this rule to a pipeline and connect that pipeline to a stream the message is running through, that should work.

If I get access to my environment I can test this, but this will not be before saturday…

Greetings - Phil


(system) #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.