Pipeline Not Getting Throughput

poisedforflight · October 31, 2023, 4:20pm

I am trying to implement the pipeline rules found here but it’s not processing any messages: Sonicwall Pipeline Rules - Templates and Rules Exchange / Pipeline Rules - Graylog Community

rule "Extract: Sonicwall Extraction"
when
    has_field("source") AND contains(to_string($message.source), "192.168.1.1", true)
then
    set_fields(
        fields:key_value(
            value:to_string($message.message),
            //remove double quotes from keys and values
            trim_value_chars:"\"", 
            trim_key_chars:"\""
            )
        );
end

This is on GL 5.0.

Anyone have any suggestions or is there any other info I can supply that would be helpful?

faen · October 31, 2023, 4:32pm

Is the pipeline connected to the “Ridgeland SonicWall” stream?

In my application, I have my sonicwall only going into it’s own stream and not the Default Stream - not sure if that will make any difference or not, but might be worth a try if the pipeline is connected to the correct stream. Let me know if you want a screenshot of the pipeline connection, but it’s just below the “details” section. This is at the pipeline level and not the stage/rule level.

poisedforflight · October 31, 2023, 4:33pm

It is:

faen · October 31, 2023, 4:44pm

Thanks for the quick confirmation.

As next steps, I would try:

See if you can take the messages out of the default stream, so they are only in the sonicwall stream, and if that changes the behavior.
Ensure that you are looking at the most recent messages in search, and not an older message that may not have been processed (I know, obvious, but this was a stumbling block for me once, so I am throwing it out there)
Modify the rule to just write something for every message, so no “when” clause, just a set_field processed=true or something like that to try to isolate the error. Might be easier to make a new rule and move the rule in question to a later stage.

Hope that helps!

poisedforflight · October 31, 2023, 4:53pm

I set to remove from default stream, no change
definitely looking at new messages
could you help me out with this. I’m not well versed in pipelines at all, trying to learn. What would the rule look like?

faen · October 31, 2023, 5:06pm

Here’s a very simple rule that should result in a single additional field called “Processed”

rule "Test Rule"
When
    has_field("message")
Then
    set_field("Processed","true");
End

If you aren’t seeing those, I would focus on the input/stream area. Have you checked the graylog application log?

system · November 14, 2023, 5:07pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pfsense firewall Graylog Central (peer support)	2	347	December 9, 2023
Stream messages does not hit pipeline Graylog Central (peer support)	3	3788	December 31, 2018
Pipeline rules are not converting field datatypes, even though message throughput is > 0 with 0 errors Graylog Central (peer support) pipeline-rules	10	180	March 9, 2024
Pipeline rule does not apply to stream messages Graylog Central (peer support) pipeline-rules , debuggingpl	4	1479	November 23, 2017
Messages not routing into stream Graylog Central (peer support) pipeline-rules , route-to-streampl	4	2267	May 25, 2018

Pipeline Not Getting Throughput

Related Topics