Currently, on graylog, I use a pipeline with a lookup table to detect if a folder has been accessed. Depending if the user is or not in the lookup table containing the allowed users, we write in an “Access” field :
- Allowed if the user is in the lookup table
- Deny if he isn’t
It currently works just fine.
The next step would be to have a stream in which I’d have all the messages with the “Access” field value “Deny”, in order to create alerts. However, when I try to create a stream with a rule to filter messages having “Deny”, it doesn’t filter anything. I think it’s due to the message processors configuration that I changed in order to have my pipeline working.
I tried to use the route_to_stream function using the ID of my new stream as a parameter, but it didn’t work.
Is there any way to filter my messages after being processed by my pipeline ?
Thanks for your help.