Hey,
I new at graylog and I need you help please
I create this rule:
rule “Locked Users Rule”
when
((to_string($message.EventID) == “4740”))
end
and assign it to the relevant pipeline but the messages are not route to the stream
if you need more details please let me know…
he @Amit1
the rule you have given does not contain any route_to_stream function plus you did not share your connection details of the pipeline.
Hey Jan
thanks for the answer
the connection is:
and i changed the rule:
rule “Locked Users Rule”
when
((to_string($message.EventID) == “4740”))
then
route_to_stream(“Monitor Locked User”);
end
and still i doesnt see that the messages are route to the stream…
thanks for you help!
he @Amit1
you need to connect the pipeline to the stream where the messages are CURRENTLY and not where they should go.
Most likely it is that you need to connect your pipeline to the all messages stream to filter out those messages into a separate stream.
rule “Locked Users Rule”
when
// first check if the field that is compared is given
// otherwise this rule would create an error on every message
// that does not contain the field.
has_field("EventID") AND
to_string($message.EventID) == “4740”
then
// routing via stream name is possible
// but as the names for streams are not unique
// the routing should be done via the ID of the stream
route_to_stream(“Monitor Locked User”);
end
Hi
i sorry i already check it.
the field islike the given:
and the name:Monitor Locked User is unique.
i also did what you recommended and still i dont see any message route to stream…
rule “Locked Users Rule”
when
((to_string($message.EventID) == “4740”))
then
route_to_stream(“5f15db9c0841fb00011e9e07”);
end
i sorry - am i doing something wrong?
You can still use stream rules instead of pipeline rule: go to Streams - Manage Rules - Add stream rule - Field: EventID, Type: Match exactly, Value: 4740
The reason I want to use pipeline is because I have more condition, like I want to monitor specific user, I have 10 user that I want to monitor when they enter to locked state.
The default rules stream, from what I read, does not support combination of condition (or and and) , that why I need to use pipelines.
Thanks!!
How do you extract field EventID? If using extractor, check if Pipeline processor is below Message Filter Chain in Message Processors Configuration in System - Configuration
Hi,
No, i dont use any extractor, but i did check what you say and Pipeline processor is below Message Filter Chain in Message Processors Configuration.
am i missing somthing? i need to use extractor?
System - Pipelines - click Edit
Pipeline connections - Edit Connection, and check as jan suggested, that you selected Steam where messages arrive, by default All messages
stage XX, click Edit and that you included your pipeline rule in section Stages rules. Also check condition above, if there are more than one stage rule, and you want to evaluate all condition (OR) - select At least one of the rules on this stage matches the message, or if you want to match all rules (AND) - select All rules on this stage match the message
rule "Debug EventID"
when
has_field("EventID")
then
let debug_message = concat("EventID is ", to_string($message.EventID));
debug(debug_message);
end
Afterthat check output of debug function in graylog log:
sudo tail -f /var/log/graylog-server/server.log
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.