Help with stream rule

1. Describe your incident:
trying to create stream rule based off the src_ip, wish to have all messages with a src_ip of 192.168. moved into stream, tried using the match regular expression, selected the src_ip field , selected match regular expression, for value, tried various incarnations of , 192\.168\..*\..* seems that the rules test says it worked however messages are not being routed into stream…

2. Describe your environment:

• OS Information: linux

• Package Version:Graylog 5.2.3+9aee303

• Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?
tried different incarnations of 192.168....

4. How can the community help?
i’m thinging the wild cards may be the issue , eventually i was trying to create a incoming stream and a out going stream…

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

this is what worked:
rule “internal”
when
contains(to_string($message.src_ip), “192.168”)
and
contains(to_string($message.dst_ip), “192.168”)
then
drop_message();
end

rules test is not reliable…

Hey @2045kdy

If you trying to route that filed and contain that ip address you need route-to-stream in your pipeline.

example:

then
  route_to_stream(id: "58cc0a2e2bf0923e5c4b4acc");
end

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.