Excluding logs using pipeline


#1

Hello,

I’m having issues excluding some logs from graylog, as they are quite spammy.

The messages I’m trying to exclude are from SNMP.

application_name
snmpd
facility
system daemon
from_syslog
true
level
6
message
Connection from UDP: [10.85.1.30]:64093->[10.75.3.25]
process_id
2497
source
hermes
timestamp
2018-10-22T04:50:06.898Z

They all have this portion of the message:
Connection from UDP: [10.85.1.30]:

Here’s what I have so far;

rule “remove spammy snmp”
when
has_field (“message”) && to_string($message.message) == “Connection from UDP: [10.85.1.30]”
then
drop_message();
end

Unfortunately not working, which I assume I haven’t got the right match requirements.
Can someone please give me an example on how this would work?

Thanks for your time!


(Jesse Hills) #2

Hi @rosstola

The when condition you are performing in that rule is an exact match however, the complete contents of the message field (in the given example) is " Connection from UDP: [10.85.1.30]:64093->[10.75.3.25]"

I would suggest changing your rule to something similar to the below:

rule “remove spammy snmp”
when
  has_field ("message") &&
  contains(to_string($message.message), "Connection from UDP: [10.85.1.30]")
then
  drop_message();
end

Thanks.


(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.