Pipeline question

Graylog Central (peer support)
1

Hello,I have a stream, and i want to drop some event using pipeline.

  1. I create a pipeline and connect to my stream.

  2. Create two stage and two rule:
    rule “src_ip”
    when
    true
    then
    let mess = to_string($message.message);
    let parsed = grok(pattern: “%{IPV4:src_ip}”,value: mess);
    set_fields(parsed);
    end

    rule “Remove”
    when
    has_field(“src_ip”) &&
    cidr_match(“192.168.0.0/21”, to_ip($message.src_ip)) - for example
    then
    drop_message();
    end

  3. Copy RAW filebeats output to simulator:

Message would be dropped

The pipeline processor would drop such a message. That means that the message would not be stored , and would not be available for searches, alerts, outputs, or dashboards.

But if a launch filebeat to send logs - it’s not working.

2

he @MalinkinSA

what is your processing order in System > configuration?

3

Hello @jan
Pipeline Processor - enabled;

Order

Use drag and drop to change the execution order of the message processors.
AWS Instance Name Lookup
GeoIP Resolver
Pipeline Processor
Message Filter Chain

4

you might want to change the oder @MalinkinSA

message filter chain
pipeline processor

and disable aws dn geoip if you do not use that.

5

Many thanks, in test case that’s all ok.

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.