Pipeline and message filter


#1

Hello,

Currently, on graylog, I use a pipeline with a lookup table to detect if a folder has been accessed. Depending if the user is or not in the lookup table containing the allowed users, we write in an “Access” field :

  • Allowed if the user is in the lookup table
  • Deny if he isn’t

It currently works just fine.

The next step would be to have a stream in which I’d have all the messages with the “Access” field value “Deny”, in order to create alerts. However, when I try to create a stream with a rule to filter messages having “Deny”, it doesn’t filter anything. I think it’s due to the message processors configuration that I changed in order to have my pipeline working.
I tried to use the route_to_stream function using the ID of my new stream as a parameter, but it didn’t work.

Is there any way to filter my messages after being processed by my pipeline ?

Thanks for your help.


(Jan Doberstein) #2

@PAPER

you might be on the right track. That you need to route with the route_to_stream function. Without sharing the configuration of the processing order, and your rules you tried that is not really possible to help you with this. But the way is right.

Jan


#3

Nevermind, I used route_to_stream and it works well right now.
Thanks for your help anyway !