Need help with pipeline rule to replace source string

So I have my pfSense router logs being fed into my Graylog instance over Syslog UDP. I have a bunch of extractors from https://github.com/Hobadee/Graylog_Extractors_pfSense configured but they only handle the firewall logs.For all the other syslog messages pertaining to php-fpm, ssh, etc. al as examples, it’s using the application as the source. Example messages below:

php-fpm: /index.php: Successful login for user 'admin' from: 192.168.0.227
sshd[76927]: Accepted keyboard-interactive/pam for root from 192.168.0.227 port 1221 ssh2

In this message, Graylog sees the source as “php-fpm:”. So, I figured I’d try a pipeline rule that would do the trick.

rule "Change source to pfSense hostname"
when
    regex(("^[a-z]\\:"), to_string($message.source)).matches == true OR
    regex(("^[a-z]\\[d+\\]\\:"), to_string($message.source)).matches == true
then
    set_field("source", "pfSense-Router");
end

Syntax-wise it seems to be OK, but there aren’t any messages being processed by this rule and I can’t figure out why. Any help would be awesome and appreciated

To start with the most obvious question: did you attach the pipeline to the stream that receives the messages?

Yep. I have two separate streams for the pfSense logs: one for the firewall, another for all the other syslog stuff. I also attached it to the all messages stream in case the rules for my custom streams weren’t being met for some reason.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.