I extracted two fields in the input, and I had changed message filter chain before Pipeline processor.
I used debug to check the values and it turned null with the following rule
rule “remote session”
let debug_message = concat("user_source: ", to_string($message.user_source));
let debug_message1 = concat("user_been_used: ", to_string($message.user_been_used));
Under System/Configurations->Message Processor Configurations do you have the Message Filter Chain coming before the Pipeline Processor? If you want your extractors to work before the pipeline, it should…
I have set message filter chain before pipeline processor
It’s your debug log from real message or only from simulator? I don’t know if it’s working from simulator if you expect so.
Can you post the original message and what you are doing in the extractor?
the message :pam_unix(remote:session): session opened for user yyyyy by wwww(uid=0)
the extractor setting:
the real message showed that the extractor worked:
Ran some tests on my side and the extractor was not processed in the simulation run despite having the correct Message Input with associated extractor set. Results were same as yours. (I don’t use any extractors in production - all the work is done in pipeline.)
Maybe submit as a bug: Issues · Graylog2/graylog2-server · GitHub
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.