Hi guys, please what’s the exact syntax if i want to remove a certain i.p address using pipelines.
e.g
when
src_ip != 10.10.10.255
then
set_field ();
end
You can access message fields (e. g. “src_ip”) with $message.src_ip and drop messages with drop_message().
Can u help combine both $message.src_ip and drop_message() under a “when” condition?
Thanks
You can find some examples at http://docs.graylog.org/en/2.3/pages/pipelines/rules.html#rule-structure
Do you have a specific problem with creating the rule?
i have used the $message.src_ip in many pipeline rules and it worked fine…just need the syntax for combining both $message.src_ip and drop_message() to exclude a particular source i.p address.
You would check the “src_ip” field in the when block and drop the message in the then block.
Okay Okay, something like this:
rule "use"
when
has_field(“src_ip”)
then
drop_message(“10.10.10.255”)
setfield()
end
more like
rule "use"
when
has_field("src_ip") AND $message.src_ip == "10.10.10.255"
then
drop_message()
end
Thanks J, It worked. I appreciate
1 Like
rule "Proxy Top Users and Category"
when
is_not_null("EMAILLOCALPART") && has_field("Proxy_Category")
then
let Name_join = concat(to_string($message.EMAILLOCALPART), " ------> ");
let Name_ID = concat(Name_join,to_string($message.Proxy_Category));
set_field(field:"Proxy_Names", value: Name_ID);
end
I still get empty fields appear as some of my email_users even though i used the “is_not_null”. What am I getting wrong please.
Thanks
Please consider subscribing to professional support if you require individual and detailed help in your setup.
Thanks…i have fixed it already using the rule below:
rule "Proxy Top Users and Category"
when
is_not_null(message.EMAILLOCALPART) && has_field("Proxy_Category")
then
let Name_join = concat(to_string($message.EMAILLOCALPART), " ------> ");
let Name_ID = concat(Name_join,to_string($message.Proxy_Category)); set_field(field:"Proxy_Names", value: Name_ID);
end
Good day, pls i need a quick fix on this because it isnt fetching nothing.
rule "FW_Outbound2"
when
( $message.IP == "10.*" OR $message.IP == "172.16.*" OR $message.IP == "172.17.*" OR $message.IP == "172.18.*" OR $message.IP == "172.19.*" OR $message.IP == "172.2O.*" OR $message.IP == "172.21.*"
OR $message.IP == "172.22.*" OR $message.IP == "172.23.*" OR $message.IP == "172.24.*" OR $message.IP == "172.25.*" OR $message.IP == "172.26.*" OR $message.IP == "172.27.*"
OR $message.IP == "172.28.*" OR $message.IP == "172.29.*" OR $message.IP == "172.30.*" OR $message.IP == "172.31.*"
OR $message.IP == "192.168.*") AND $message.Firewall_DestinationIP != "4.2.2.2" AND $message.Firewall_DestinationIP != "8.8.8.8" AND $message.Firewall_DestinationIP != "255.255.255.255"
AND $message.Firewall_DestinationIP != "10.10.2.255"
then
let Name_join = concat(to_string($message.timestamp), " ------> ");
let Name_ID = concat(Name_join,to_string($message.IP));
let Name_ID2 = concat(Name_ID, ("---------->"));
let Name_ID3 = concat(Name_ID2,to_string($message.Firewall_DestinationIP));
let Name_ID4 = concat(Name_ID3, ("---------->"));
let Name_ID5 = concat(Name_ID4,to_string($message.dst_port));
let Name_ID6 = concat(Name_ID5, ("---------->"));
let Name_ID7 = concat(Name_ID6,to_string($message.categoryOutcome));
set_field(field:"FW_OutboundS", value: Name_ID7);
end
Thanks.
1 Like
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.