I am trying to figure out how to implement a regex pipeline rule based on the end of a specific field. For example:
If filename ends with .xxx.ps1 then ignore. (x’s being variables)
Does anyone know how I would accomplish this? I can figure out the actual regex portion of it, but I don’t know how to write the rule portion.
Thanks in advance.
what is the regex you have? with that we can help you with the rule - based on the documentation
http://docs.graylog.org/en/3.0/pages/pipelines/functions.html#regex
What do you mean by “ignore”? If you want to drop the entire message, something like this will work:
rule "drop message when regex .ps1 matches"
when
regex(".*\\.ps1$", to_string($message.message)).matches == true
then
drop_message();
endSo here is what I am trying to accomplish.
I have a rule that detects the presence of various random file extensions. For example “.0x0”
The problem is that windows powershell spits out all of these temporary .ps1 files with random 3 characters and it constantly trips my rule because I have A LOT of file extensions. Since I do care about .ps1 files, but I do not care about temporary .xxx.ps1 files I want to create a regex rule that will NOT alert me if it detects the pattern is .xxx.ps1. (x’s being any character)
Here is an example of a line of the rule that gets tripped:
contains(to_string($message.file_name), “.0x0”, true)
So I would want something like:
contains(to_string($message.file_name), “.0x0”, true) AND NOT
regex file_name contains .xxx.ps1 (needs to be case insensitive as well)
Can anyone tell me how to write the bolded portion? Sorry I am very new to regex and graylog so any help would be appreciated.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.