Exclude source from graylog

teris · January 24, 2019, 8:58am

Hi, I need to exclude a source from sending messages to graylog. I do not have access to remote source so this needs to be done from graylog side.
I receive input via gelf.

Thank you

Totally_Not_A_Robot · January 24, 2019, 9:21am

It’s a dirty trick, but you can use the Linux firewall. Just block the source IP from accessing the GELF Input port on your Graylog receivers.

Ponet · January 24, 2019, 9:22am

Alternatively, it would be better to contact whoever does have access to this source and get them to stop sending messages to the Graylog server…

macko003 · January 24, 2019, 9:52am

or you can block the traffic on the firewall, or drop the message in pipelines.
But the cleanest way what @Ponet mentioned.

teris · January 24, 2019, 10:12am

Thank you for your replies, will need to drop message in pipelines as you mention. The other solutions I was aware but need to drop message.
Do you know how to?

Ponet · January 24, 2019, 10:16am

Since you’re wanting to drop messages from a specific source, I’d recommend a rule similar to the following…

when
    to_string($message.source) == "<value of source field>"
then
    drop_message();
end

macko003 · January 24, 2019, 11:17am

I think the message drop is the last chance, it is not so efficient.
An iptables rule don’t need resources to drop packages from a source, but in graylog it have to process the message to get the source field.

Totally_Not_A_Robot · January 24, 2019, 12:47pm

Yup! Any unwanted log sources could still DoS your box

Better to cut them off hard, through the network / firewall. Why would you even let them waste your resources, if you never want to receive their logging?

teris · January 24, 2019, 12:49pm

Thank you for your rapid replies, I will follow @Ponet solution but now I am looking how to drop message from specific station.

import org.graylog2.plugin.Message
import java.util.regex.Matcher
import java.util.regex.Pattern

rule “Blacklist Station002”
when
source == “Station002”
then
drop_message();
end

Ponet · January 24, 2019, 12:53pm

The rule you have written in the above post will not work. It is not valid.

Firstly, none of those imports should be there. (Why on earth are you trying to do Java imports in a pipeline rule?)

Secondly, the pipeline rule doesn’t know what “source” is, you must specify that you want it to check the source field of the message by using $message.source

Please see the rule I wrote in a previous reply and note the differences between the two.

macko003 · January 24, 2019, 12:57pm

Don’t worry, Copy-paste is a hard work. I saw many times when someone pay a lot for these works

teris · January 24, 2019, 1:32pm

Thank you all, it has been resolved

system · February 7, 2019, 1:34pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How to stop all messages from a specific ip/source? Graylog Central (peer support)	9	928	July 12, 2022
How to exclude log with pipeline? Graylog Central (peer support)	7	2909	September 26, 2017
Dropping some log messages with specific field value Graylog Central (peer support)	7	7585	June 21, 2017
Excluding logs using pipeline Graylog Central (peer support)	2	1376	November 5, 2018
Disabling a Source from processing Graylog Add-ons	3	1039	April 30, 2018

Exclude source from graylog

Related topics