Need help with pipeline rule to replace source string

So I have my pfSense router logs being fed into my Graylog instance over Syslog UDP. I have a bunch of extractors from configured but they only handle the firewall logs.For all the other syslog messages pertaining to php-fpm, ssh, etc. al as examples, it’s using the application as the source. Example messages below:

php-fpm: /index.php: Successful login for user 'admin' from:
sshd[76927]: Accepted keyboard-interactive/pam for root from port 1221 ssh2

In this message, Graylog sees the source as “php-fpm:”. So, I figured I’d try a pipeline rule that would do the trick.

rule "Change source to pfSense hostname"
    regex(("^[a-z]\\:"), to_string($message.source)).matches == true OR
    regex(("^[a-z]\\[d+\\]\\:"), to_string($message.source)).matches == true
    set_field("source", "pfSense-Router");

Syntax-wise it seems to be OK, but there aren’t any messages being processed by this rule and I can’t figure out why. Any help would be awesome and appreciated :slight_smile:

To start with the most obvious question: did you attach the pipeline to the stream that receives the messages?

Yep. I have two separate streams for the pfSense logs: one for the firewall, another for all the other syslog stuff. I also attached it to the all messages stream in case the rules for my custom streams weren’t being met for some reason.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.