Pipeline remove ip in message

dio99 · December 4, 2020, 1:10pm

im trying to get rid of ip adress “10.10.10.10” in the $message
any hints?

<166>Dec 4 13:05:27 10.10.10.10 Firewall1 %ASA-6-302020: Built inbound ICMP connection for faddr 10.52.31.10/0 gaddr 10.52.134.6/0 laddr 10.52.134.6/0 type 11 code 0

rule "[CISCO] remove snat ip in header "
when
has_field(“message”)
then

let string = regex_replace(
pattern:"\<(\S+)\>(\w+) (\w+) (\S+) (\S+)",
value: to_string($message.message),
replacement:"$1 $2 $3 $4");

//set_field(“test”, $message.message);

end

tmacgbay · December 4, 2020, 4:38pm

Is there a question here… looks more like a statement?

Try using the debug() function to figure out what your results are.

debug(string);

The results will show in the graylog server log:

tail -f /var/log/graylog-server/server.log

dio99 · December 4, 2020, 5:10pm

great yes ill test thtat added also the ?

dio99 · December 7, 2020, 1:10pm

2020-12-07 13:00:39,125 INFO : org.graylog.plugins.pipelineprocessor.ast.functions.Function - PIPELINE DEBUG: <166>Dec 7 13:00:39 10.10.10.10 Firewall1 %ASA-6-302021: Teardown ICMP connection for faddr 10.52.31.10/0 gaddr 10.52.134.6/0 laddr 10.52.134.6/0 type 11 code 0

tmacgbay · December 7, 2020, 2:16pm

Oh boy. So… I am guessing that you are stuck again? Simply reposting the message and nothing else makes me guess that … but I don’t know what you did… post what you did, what you found… what does your entire rule look like now with the debug function in it? Use the formatting tools to make it easy to read… Otherwise I have to spend my personal time guessing… or writing this up… before you post more… perhaps read through this:

https://community.graylog.org/faq

dio99 · December 8, 2020, 8:05am

Yes i only see the same output when enable debug mode in the pipeline.
Im running version 3.2.4 of graylog version
yes the regex match works tested it but still it wont replace.
i see the trace that its match in the pipeline and executed to, when i test it in simulator.
i only want to drop/replace the ip 10.10.10.10 in the message

the logmessage i tested on
<166>Dec 4 13:05:27 10.10.10.10 Firewall1 %ASA-6-302020: Built inbound ICMP connection for faddr 10.52.31.10/0 gaddr 10.52.134.6/0 laddr 10.52.134.6/0 type 11 code 0

Tested to change it like the example in doc.

rule "[CISCO] remove snat ip in message "
when
has_field(“message”) AND
contains(to_string($message.message), “10.10.10.10.”, true) OR
contains(to_string($message.message), “10.10.10.11”, true)
then

let string = regex_replace("\<(\d+)\>(\w+) (\d+) (\S+) (\S+).*", to_string($message.message), “$1 $2 $3 $4”);

end

shoothub · December 8, 2020, 10:33am

If you want to replace original message with new one you also need this line:
set_field("message", string);

dio99 · December 8, 2020, 12:27pm

great yes forgot that but still wont work on 3.2.4 i tested this on 3.3.7 and i got the replace working directly

system · December 22, 2020, 12:27pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pipeline Rule - Drop messages with field containing IP Graylog Central (peer support) pipeline-rules , debuggingpl	7	3481	March 26, 2021
Pipeline rules problem Graylog Central (peer support) pipeline-rules	4	902	March 10, 2022
Pipeline doesn't work Graylog Central (peer support) pipeline-rules , debuggingpl	5	1363	March 11, 2020
Excluding logs using pipeline Graylog Central (peer support)	2	1419	November 5, 2018
FIlter IP range in Pipeline Graylog Tech Challenges pipeline-rules , debuggingpl	6	1776	July 26, 2021

Pipeline remove ip in message

Related topics