Part of stream logs to another server

(Laakkus) #1

I was looking into sending logs that hit certain IP-addresses to another server, but not containg the whole log message.

It goes smoothly with creating a new stream (using stream rules) and an output for it, BUT
the message field contains too much information for the recipient to see.

I’ve tried pipelining functions clone_message (combinig with remove_field()) and create_message, but haven’t found the way to get rid of the message-field, which contains EVERYTHING. Can’t write it empty either.

Any ideas how my goal can be achieved?

EDIT: My best workaround is to run a cron job which uses REST API, but it’s not “real-time”. and involves more recipient end actions.

EDIT2: DAA, I can, however, overwrite the message field with eg. “message”

(Laakkus) #2

Having a monologue here…

Now I have trouble getting pipeline to match srcip. dstip matches ok. strange…
even this:


regex("^.**$", to_string($message.message)).matches == true


matches on only dstip field… same does this:

has_field(“srcip”) AND
to_string($message.srcip)==“” OR
to_string($message.dstip)==“” AND
has_field(“isDuplicate”) == false

both dstip AND srcip are of field type ip and if searched from original stream, have matches in both srcip and dstip

(system) closed #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.