Part of stream logs to another server

I was looking into sending logs that hit certain IP-addresses to another server, but not containg the whole log message.

It goes smoothly with creating a new stream (using stream rules) and an output for it, BUT
the message field contains too much information for the recipient to see.

I’ve tried pipelining functions clone_message (combinig with remove_field()) and create_message, but haven’t found the way to get rid of the message-field, which contains EVERYTHING. Can’t write it empty either.

Any ideas how my goal can be achieved?

EDIT: My best workaround is to run a cron job which uses REST API, but it’s not “real-time”. and involves more recipient end actions.

EDIT2: DAA, I can, however, overwrite the message field with eg. “message”

Having a monologue here…

Now I have trouble getting pipeline to match srcip. dstip matches ok. strange…
even this:


regex("^.**$", to_string($message.message)).matches == true


matches on only dstip field… same does this:

has_field(“srcip”) AND
to_string($message.srcip)==“” OR
to_string($message.dstip)==“” AND
has_field(“isDuplicate”) == false

both dstip AND srcip are of field type ip and if searched from original stream, have matches in both srcip and dstip

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.