For some reason, my extractors are not functioning prior to the pipelines.
I’ve been trying to have pipelines run rules based off fields, and found it wasn’t finding the fields due to the extractor not working in the pipelines.
I understood that in order to access the Extracted fields from the Extractors you needed to order the Messages Processors Configuration like above. As long as the Pipeline Processor is after the Message Filter Chain, you should be able to access the extracted fields. Is this not correct?
I can still run the rules but only with the $message.message field. It fails every time on any $message.field value.
The extractors do work under the all messages stream, as I can see the extracted fields. Any ideas?
What does that mean exactly? What extractors did you define and what did you expect to happen?
I am trying to be able to use the extracted fields in the pipeline rules.
For example, I have Extractors that extract data using Regex and place that into a field called Server. (I know this works as I can see the extracted fields in the streams.)
When I make a pipeline rule in the form of:
when to_string($message.Server) == “Some string”
Or contains(to_string($message.Server), “Some string”)
Whenever I attempt to access the $message.Field it returns false as it cannot find the field. This is further confirmed through the simulate processing feature, and in the server.log.
[EqualityExpression] left expression evaluated to null, returning false: $message.Server
My understanding was that if I wanted to have the pipelines able to access the extracted fields I had to place the Message Filter Chain as a higher priority than the Pipeline Processor.
I’m trying to understand if I’m doing something wrong.
What’s your specific rule?
Yes, this is correct.
rule “GPL Attack_Response”
to_string($message.Signature) == “GPL ATTACK_RESPONSE id check returned root”
But I’m no longer getting the log errors and it’s going through. I have no idea what’s changed.
It seems any time I ask for help, the problem resolves itself.
Thanks. Sorry about this.
I am facing exactly the same issue. Tired restarting the docker image but it seems like nothing is changing.
I have syslog iptable logs and the extractor is just groking 5 tuples so I can run threat intelligence plugins.
Message filter is configured to be used before pipeline rules.
please create a new thread @Phil.ross the previous is 3 years old.