Pipeline Rule not firing


(Nav) #1

Hi Folks,
I have created a pipe line rule

rule "Drop4624MachineAccounts"

when
	((to_string($message.EventID) == "4624")) 
	AND 
	(contains(to_string($message.TargetUserName),to_string("$"),true))
then
	drop_message();
end

I am using gelf to ingest windows security log.

I would like to drop specific events, in this case event 4624 whenever TargetUserName field contains a compyter account, A computer account has $ symbol at the end like

PC01$

I have tried using the contain function but it’s not working.

appreciate your assistance in making this work.


(Jan Doberstein) #2

what kind of symbol did you look for? You might want to use proper formatting in the forum to make it more clear …


(Nav) #3

Hi Jan, I have updated the format. Some how the $ symbol went missing without formatting. Sorry for the inconvenience caused.


(Jan Doberstein) #4

you want to escape the $ that should work - but not sure about as I do not have something to test with.


(Nav) #5

I have updated the Pipeline rule, however i still see events with computername

rule "Drop4624MachineAccounts"

when
	((to_string($message.EventID) == "4624")) 
	AND 
	(contains(to_string($message.TargetUserName),"/$",true))
then
	drop_message();
end

(Jan Doberstein) #6

you escape a character with a \ and not a /


(Nav) #7

2018-09-17%2016_26_37-Graylog%20-%20Pipeline%20rule%20Drop4624MachineAccounts
upon using \ i am seeing syntax error. I tried without " but still, i got syntax error


(Jan Doberstein) #8

did you tried a double \\? that might needed. But this is just guessing - not knowledge.

It might be easier to build a regex on this and not using contains.


(Nav) #9

Hi jan, i have earlier tried \\$ but that didn’t work either.

Can you share a sample pipeline rule that uses regex function and i will modify it to the need.


(Nav) #10

Hi Jan,
this is what worked for me. Thanks for you assistance in getting this sorted out.

 rule "Drop4624MachineAccounts"
when
//    (has_field("EventID") AND (to_string($message.EventID) == "4624"))

// Original - Now Commented
	(has_field("EventID") AND (to_string($message.EventID) == "4624")) AND to_bool(regex("([a-zA-Z0-9])+\\$",to_string($message.TargetUserName)).matches)

then
	drop_message();
end

(system) #11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.