Hi, i just installed Graylog. Everything is fine, but… i have to much logs Please, help me with filtering.
I have stream accepting windows event logs - gelf.
I am monitoring for example EventID : 4624 (log in). But this event generates not only logs from people but from server or system. A want to delete this message. So i created pipeline and apply to that stream:
Problem is, that i am still receiving unwanted messages as below. Am i doing something wrong?
Thanks
Lucas
rule “Drop unnecessary messages”
when
has_field(“TargetUserName”) AND
(
contains(to_string($message.TargetUserName),“ABRA”) OR
contains(to_string($message.TargetUserName),“DWM”) OR
contains(to_string($message.TargetUserName),“SYSTEM”)
)
then
drop_message();
end
@Assembler
You can use more then one rule to filter down to the messages you want, since you using GELF I sure you have multiple fields you can use. Here is an example:
Must match all of the 3 configured stream rules.
There is problem with stream rules. Now i have ONE stream WindowsEvents. IF i separate it to two streams. WindowsEvents and event 4624.
Stream WindowsEvets
must be filtered
event != 4624
Stream 4624
must be filtered
event = 4624 and (username != “system” OR username != “servername”)
How you will do it? Can be done by regular expression? I dont know. May be yes, but for me it is to dificult. Pipelines seems easer. But… I dont now why it is not working. May be something is missing.
I found solution myself: Must be applied to all messages
rule “Drop unnecessary messages”
when
has_field(“SourceModuleName”) AND
to_string($message.SourceModuleName) == “eventlog” AND
has_field(“TargetUserName”) AND
(
to_string($message.TargetUserName) == “SYSTEM” OR
to_string(message.TargetUserName) == "ABRA" OR
contains(to_string($message.TargetUserName),“DWM”)
)
then
drop_message();
end
Please, help me with filtering.