Need some help with a regex pipeline rule

(Luke) #1

I am trying to figure out how to implement a regex pipeline rule based on the end of a specific field. For example:

If filename ends with .xxx.ps1 then ignore. (x’s being variables)

Does anyone know how I would accomplish this? I can figure out the actual regex portion of it, but I don’t know how to write the rule portion.

Thanks in advance.

0 Likes

(Jan Doberstein) #2

what is the regex you have? with that we can help you with the rule - based on the documentation

http://docs.graylog.org/en/3.0/pages/pipelines/functions.html#regex

0 Likes

(Ben van Staveren) #3

What do you mean by “ignore”? If you want to drop the entire message, something like this will work:

rule "drop message when regex .ps1 matches"
when
   regex(".*\\.ps1$", to_string($message.message)).matches == true
then
  drop_message();
end
0 Likes

(Luke) #4

So here is what I am trying to accomplish.

I have a rule that detects the presence of various random file extensions. For example “.0x0”

The problem is that windows powershell spits out all of these temporary .ps1 files with random 3 characters and it constantly trips my rule because I have A LOT of file extensions. Since I do care about .ps1 files, but I do not care about temporary .xxx.ps1 files I want to create a regex rule that will NOT alert me if it detects the pattern is .xxx.ps1. (x’s being any character)

Here is an example of a line of the rule that gets tripped:

contains(to_string($message.file_name), “.0x0”, true)

So I would want something like:

contains(to_string($message.file_name), “.0x0”, true) AND NOT
regex file_name contains .xxx.ps1 (needs to be case insensitive as well)

Can anyone tell me how to write the bolded portion? Sorry I am very new to regex and graylog so any help would be appreciated.

0 Likes

(system) closed #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

0 Likes