Pipeline rule processing unterstanding

Graylog Central (peer support)
1

Hello,

I’m mildly confused on how rules in a stage processed. Are they run in parallel or sequential?

I tried the following:

Stage 1

Rule A - Should match a message if it has one of the Event IDs

rule "check_active_directory_event_id_range"
when
    has_field("winlogbeat_winlog_event_id") &&
    (
        to_string($message.winlogbeat_winlog_event_id) == "1234" ||
        to_string($message.winlogbeat_winlog_event_id) == "2345" ||
        to_string($message.winlogbeat_winlog_event_id) == "3456" ||
        to_string($message.winlogbeat_winlog_event_id) == "4567"
    )
then
end

Rule B - Should drop the message if the message does not match

rule "drop_unwanted_messages"
when
    true
then
    drop_message();
end

  1. All messages are dropped, but i can see the debug message in server logs - so i guess all rules are applied in the stage to all messages?

  2. How do i set “Continue processing on next stage when” to get matched messages from Rule A do be processed in Stage 2? F.e. to filter for another event_data field out of the filtered event ids?

2

Order of rules inside a stage are not guaranteed, if you need order you need multiple stages.

You sometimes want a rule in a stage and all it does is match but takes no action just to act as a filter of messages continue to the next stage.

1 Like