Pipeline Rule - Drop messages with field containing IP

tmacgbay · March 11, 2021, 11:43am

you can use the debug() function and watch what it’s output is in the Graylog logs:

tail -f /var/log/graylog-server/server.log

rule "Drop NAT from specific Subnet"
when
    starts_with(to_string($message.Int_Src_IP), "172.16.40")
then
    debug("Source IP match:");
    debug(to_string($message.Int_Src_IP));
    drop_message();
end

if nothing shows you can change the when to has_field("Int_Src_IP") just to make sure you get to the debug

Debug Function - Graylog 4.0

Topic		Replies	Views
Contains and Drop all other messages Graylog Central (peer support) pipeline-rules	8	3264	November 11, 2019
Unable to Drop syslog messages based on message contents Graylog Central (peer support)	12	1032	September 4, 2022
Dropping some log messages with specific field value Graylog Central (peer support)	7	7384	June 21, 2017
Pipeline doesn't work Graylog Central (peer support) pipeline-rules , debuggingpl	5	1299	March 11, 2020
Drop logs with pipeline rules Graylog Central (peer support) pipeline-rules	7	2223	February 7, 2019

Pipeline Rule - Drop messages with field containing IP

Related Topics