Pipeline Rule not firing

v_2nas · September 15, 2018, 12:29pm

Hi Folks,
I have created a pipe line rule

rule "Drop4624MachineAccounts"

when
	((to_string($message.EventID) == "4624")) 
	AND 
	(contains(to_string($message.TargetUserName),to_string("$"),true))
then
	drop_message();
end

I am using gelf to ingest windows security log.

I would like to drop specific events, in this case event 4624 whenever TargetUserName field contains a compyter account, A computer account has $ symbol at the end like

PC01$

I have tried using the contain function but it’s not working.

appreciate your assistance in making this work.

jan · September 15, 2018, 8:01pm

what kind of symbol did you look for? You might want to use proper formatting in the forum to make it more clear …

v_2nas · September 15, 2018, 11:22pm

Hi Jan, I have updated the format. Some how the $ symbol went missing without formatting. Sorry for the inconvenience caused.

jan · September 16, 2018, 10:20am

you want to escape the $ that should work - but not sure about as I do not have something to test with.

v_2nas · September 16, 2018, 12:52pm

I have updated the Pipeline rule, however i still see events with computername

rule "Drop4624MachineAccounts"

when
	((to_string($message.EventID) == "4624")) 
	AND 
	(contains(to_string($message.TargetUserName),"/$",true))
then
	drop_message();
end

jan · September 17, 2018, 6:18am

you escape a character with a \ and not a /

v_2nas · September 17, 2018, 8:28am

2018-09-17%2016_26_37-Graylog%20-%20Pipeline%20rule%20Drop4624MachineAccounts
upon using \ i am seeing syntax error. I tried without " but still, i got syntax error

jan · September 17, 2018, 4:51pm

did you tried a double \\? that might needed. But this is just guessing - not knowledge.

It might be easier to build a regex on this and not using contains.

v_2nas · September 17, 2018, 10:21pm

Hi jan, i have earlier tried \\$ but that didn’t work either.

Can you share a sample pipeline rule that uses regex function and i will modify it to the need.

v_2nas · September 18, 2018, 5:10am

Hi Jan,
this is what worked for me. Thanks for you assistance in getting this sorted out.

 rule "Drop4624MachineAccounts"
when
//    (has_field("EventID") AND (to_string($message.EventID) == "4624"))

// Original - Now Commented
	(has_field("EventID") AND (to_string($message.EventID) == "4624")) AND to_bool(regex("([a-zA-Z0-9])+\\$",to_string($message.TargetUserName)).matches)

then
	drop_message();
end

system · October 2, 2018, 5:10am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Need some help with regex in pipeline rule Graylog Central (peer support) pipeline-rules	2	2388	July 7, 2023
Filtering streams Graylog Central (peer support)	6	5214	June 11, 2020
Pipeline Rules - Exact Match on Field Graylog Central (peer support) pipeline-rules	5	5377	June 6, 2018
Using Pipeline to drop messages Graylog Central (peer support)	4	2093	June 30, 2021
Pipeline Rule - Drop messages with field containing IP Graylog Central (peer support) pipeline-rules , debuggingpl	7	3405	March 26, 2021

Pipeline Rule not firing

Related topics