Pipeline rule with multiple conditions

Graylog Central (peer support)
1

hi there,

I’m trying to create a pipeline that would extract data from ssh logs and set the username, ip, login_result and similar fields. I can do it in this fashion and it works - for single rule at a time:

rule “SSH Cert OK”

when
has_field(“application_name”) &&
to_string($message.application_name) == “sshd” &&
starts_with(to_string($message.message), “Accepted publickey for “, true)
then
let grep = regex(”^Accepted publickey for (.[^\s]) from (.[^\s]) port (.*)”, to_string($message.message));

set_field ("ssh_result", "Login success");
set_field ("ssh_login_type", "Pubkey");
set_field ("username", grep["0"]);
set_field ("src_ip", grep["1"]);

end

The problem is, I’d like to have multiple rules for different messages (login fail, bad cert, etc.).
Can I do it in single “rule” (like multiple when … then, but that would be rather inefficient); should I cascade rules, or is there a more efficient way?

I don’t think there is if…elseif or case thing here right? :slight_smile:

2

Pretty sure the reasoning behind avoiding loops was for speed. Rules within a particular stage run semi-parallel so if you want to rely on the results of a rule, the next rule should be in a following stage. So for instance you may set up an initial stage to break messages into fields based on source or perhaps something it finds int he message, then have following stages that run calculations on those fields.

Looks like for what you are doing - checking to see if a message looks a particular way and then breaking it out based on that would be the way to set up several rules for things like login fail, bad cert etc… Since you test to see if its the right message before taking the right action…

1 Like
3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.