Exclude source from graylog


(teris) #1

Hi, I need to exclude a source from sending messages to graylog. I do not have access to remote source so this needs to be done from graylog side.
I receive input via gelf.

Thank you


(Tess) #2

It’s a dirty trick, but you can use the Linux firewall. Just block the source IP from accessing the GELF Input port on your Graylog receivers.


(Jesse Hills) #3

Alternatively, it would be better to contact whoever does have access to this source and get them to stop sending messages to the Graylog server…


#4

or you can block the traffic on the firewall, or drop the message in pipelines.
But the cleanest way what @Ponet mentioned.


(teris) #5

Thank you for your replies, will need to drop message in pipelines as you mention. The other solutions I was aware but need to drop message.
Do you know how to?


(Jesse Hills) #6

Since you’re wanting to drop messages from a specific source, I’d recommend a rule similar to the following…

when
    to_string($message.source) == "<value of source field>"
then
    drop_message();
end

#7

I think the message drop is the last chance, it is not so efficient.
An iptables rule don’t need resources to drop packages from a source, but in graylog it have to process the message to get the source field.


(Tess) #8

Yup! Any unwanted log sources could still DoS your box :smiley:

Better to cut them off hard, through the network / firewall. Why would you even let them waste your resources, if you never want to receive their logging?


(teris) #9

Thank you for your rapid replies, I will follow @Ponet solution but now I am looking how to drop message from specific station.

import org.graylog2.plugin.Message
import java.util.regex.Matcher
import java.util.regex.Pattern

rule “Blacklist Station002”
when
source == “Station002”
then
drop_message();
end


(Jesse Hills) #10

The rule you have written in the above post will not work. It is not valid.

Firstly, none of those imports should be there. (Why on earth are you trying to do Java imports in a pipeline rule?)

Secondly, the pipeline rule doesn’t know what “source” is, you must specify that you want it to check the source field of the message by using $message.source

Please see the rule I wrote in a previous reply and note the differences between the two.


#11

Don’t worry, Copy-paste is a hard work. I saw many times when someone pay a lot for these works :smiley:


(teris) #12

Thank you all, it has been resolved :grinning::grin:


(system) closed #13

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.