Hello,
I was looking into sending logs that hit certain IP-addresses to another server, but not containg the whole log message.
It goes smoothly with creating a new stream (using stream rules) and an output for it, BUT
the message field contains too much information for the recipient to see.
I’ve tried pipelining functions clone_message (combinig with remove_field()) and create_message, but haven’t found the way to get rid of the message-field, which contains EVERYTHING. Can’t write it empty either.
Any ideas how my goal can be achieved?
EDIT: My best workaround is to run a cron job which uses REST API, but it’s not “real-time”. and involves more recipient end actions.
EDIT2: DAA, I can, however, overwrite the message field with eg. “message”
when
has_field(“srcip”) AND
to_string($message.srcip)==“10.8.2.250” OR
to_string($message.dstip)==“10.8.2.250” AND
has_field(“isDuplicate”) == false
then
both dstip AND srcip are of field type ip and if searched from original stream, have matches in both srcip and dstip
