Part of stream logs to another server


(Laakkus) #1

Hello,
I was looking into sending logs that hit certain IP-addresses to another server, but not containg the whole log message.

It goes smoothly with creating a new stream (using stream rules) and an output for it, BUT
the message field contains too much information for the recipient to see.

I’ve tried pipelining functions clone_message (combinig with remove_field()) and create_message, but haven’t found the way to get rid of the message-field, which contains EVERYTHING. Can’t write it empty either.

Any ideas how my goal can be achieved?

EDIT: My best workaround is to run a cron job which uses REST API, but it’s not “real-time”. and involves more recipient end actions.

EDIT2: DAA, I can, however, overwrite the message field with eg. “message”


(Laakkus) #2

Having a monologue here…

Now I have trouble getting pipeline to match srcip. dstip matches ok. strange…
even this:

when

regex("^.*185.39.186.152.*$", to_string($message.message)).matches == true

then

matches on only dstip field… same does this:

when
has_field(“srcip”) AND
to_string($message.srcip)==“10.8.2.250” OR
to_string($message.dstip)==“10.8.2.250” AND
has_field(“isDuplicate”) == false
then

both dstip AND srcip are of field type ip and if searched from original stream, have matches in both srcip and dstip


(system) closed #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.