Pipeline doest not route to stream

Hey,

I new at graylog and I need you help please
I create this rule:
rule “Locked Users Rule”
when
((to_string($message.EventID) == “4740”))
end
and assign it to the relevant pipeline but the messages are not route to the stream
if you need more details please let me know…

he @Amit1

the rule you have given does not contain any route_to_stream function plus you did not share your connection details of the pipeline.

Hey Jan
thanks for the answer
the connection is:
image
and i changed the rule:

rule “Locked Users Rule”
when
((to_string($message.EventID) == “4740”))
then
route_to_stream(“Monitor Locked User”);
end

and still i doesnt see that the messages are route to the stream…

thanks for you help!

he @Amit1

you need to connect the pipeline to the stream where the messages are CURRENTLY and not where they should go.

Most likely it is that you need to connect your pipeline to the all messages stream to filter out those messages into a separate stream.

rule “Locked Users Rule”
when
 // first check if the field that is compared is given
 // otherwise this rule would create an error on every message
 // that does not contain the field.
 has_field("EventID") AND
 to_string($message.EventID) == “4740”
then
 // routing via stream name is possible
 // but as the names for streams are not unique 
 // the routing should be done via the ID of the stream
 route_to_stream(“Monitor Locked User”);
end
1 Like

Hi

i sorry i already check it.
the field islike the given:
image
and the name:Monitor Locked User is unique.
i also did what you recommended and still i dont see any message route to stream…
rule “Locked Users Rule”
when
((to_string($message.EventID) == “4740”))
then
route_to_stream(“5f15db9c0841fb00011e9e07”);
end
i sorry - am i doing something wrong?

You can still use stream rules instead of pipeline rule: go to Streams - Manage Rules - Add stream rule - Field: EventID, Type: Match exactly, Value: 4740

The reason I want to use pipeline is because I have more condition, like I want to monitor specific user, I have 10 user that I want to monitor when they enter to locked state.
The default rules stream, from what I read, does not support combination of condition (or and and) , that why I need to use pipelines.

Thanks!!

How do you extract field EventID? If using extractor, check if Pipeline processor is below Message Filter Chain in Message Processors Configuration in System - Configuration

https://docs.graylog.org/en/3.3/pages/pipelines/stream_connections.html#the-importance-of-message-processor-ordering

Hi,

No, i dont use any extractor, but i did check what you say and Pipeline processor is below Message Filter Chain in Message Processors Configuration.
am i missing somthing? i need to use extractor?

  1. First check your pipeline - System - Pipelines - click Edit
  2. Next check Pipeline connections - Edit Connection, and check as jan suggested, that you selected Steam where messages arrive, by default All messages
  3. Last check your stage XX, click Edit and that you included your pipeline rule in section Stages rules. Also check condition above, if there are more than one stage rule, and you want to evaluate all condition (OR) - select At least one of the rules on this stage matches the message, or if you want to match all rules (AND) - select All rules on this stage match the message
  4. Check also if your pipeline XX is higher number, so that the field is already there.
  5. Best way to debug, is to use pipeline function debug() to check if field is there on right stage:
rule "Debug EventID"
when
 has_field("EventID")
then
  let debug_message = concat("EventID is ", to_string($message.EventID));
  debug(debug_message);
end

Afterthat check output of debug function in graylog log:
sudo tail -f /var/log/graylog-server/server.log