Pipeline Rules - Exact Match on Field


(Jesse Hills) #1

Hi all,

I have created a pipeline rule and it does appear to work however, I’m not 100% sure on whether I am using the correct or best method in achieving my goal.

I was having issue with using contains(to_string($message.sysmon_event_id),"3") within my pipeline rule as it was matching on messages where the sysmon_event_id was ‘13’ - Of course, due to the string 13 containing ‘3’.

My rule is as shown in the below screenshot:

msiexec_detect_rule

From the screenshot above, I am performing an exact match check against the returned value of to_string($message.sysmon_event_id) - At least, as far as I can see, it does seem to be working as I expected.

This is more of a query as to whether this is a correct method for performing an exact match or whether the rule is just matching on the message(s) because the check against the sysmon_data_process field is matching and my final line within the when section of the rule is being ignored.

Thanks,
Jesse


(Jochen) #2

Since you’re chaining the conditions in the when-clause with logical AND, all conditions have to match for the rule to be evaluated.


(Jesse Hills) #3

Thanks for that, @jochen

So, is the to_string($message.sysmon_event_id) == "3" a valid way to perform an exact match within the pipeline rule?

From what I can see within my Graylog system, it does appear to be working but, just wanting to make sure that I’m doing things in a /correct/ Graylog way.

Thanks,
Jesse


(Jochen) #4

Yes. If it wasn’t, your rule wouldn’t work. :wink:
http://docs.graylog.org/en/2.4/pages/pipelines/rules.html#conditions


(Jesse Hills) #5

I did think that but, wanted to double-check with others – Sanity check and all!

Solution has been marked.

Thanks again


(system) #6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.