Pipeline Rule - Drop messages with field containing IP

tmacgbay · March 11, 2021, 11:43am

you can use the debug() function and watch what it’s output is in the Graylog logs:

tail -f /var/log/graylog-server/server.log

rule "Drop NAT from specific Subnet"
when
    starts_with(to_string($message.Int_Src_IP), "172.16.40")
then
    debug("Source IP match:");
    debug(to_string($message.Int_Src_IP));
    drop_message();
end

if nothing shows you can change the when to has_field("Int_Src_IP") just to make sure you get to the debug

Debug Function - Graylog 4.0

Topic		Replies	Views
Contains and Drop all other messages Graylog Central (peer support) pipeline-rules	8	3439	November 11, 2019
Unable to Drop syslog messages based on message contents Graylog Central (peer support)	12	1153	September 4, 2022
Dropping some log messages with specific field value Graylog Central (peer support)	7	7607	June 21, 2017
Pipeline doesn't work Graylog Central (peer support) pipeline-rules , debuggingpl	5	1360	March 11, 2020
Drop logs with pipeline rules Graylog Central (peer support) pipeline-rules	7	2324	February 7, 2019

Pipeline Rule - Drop messages with field containing IP

Related topics