Pipeline Rules - Exact Match on Field

Hi all,

I have created a pipeline rule and it does appear to work however, I’m not 100% sure on whether I am using the correct or best method in achieving my goal.

I was having issue with using contains(to_string($message.sysmon_event_id),"3") within my pipeline rule as it was matching on messages where the sysmon_event_id was ‘13’ - Of course, due to the string 13 containing ‘3’.

My rule is as shown in the below screenshot:

From the screenshot above, I am performing an exact match check against the returned value of to_string($message.sysmon_event_id) - At least, as far as I can see, it does seem to be working as I expected.

This is more of a query as to whether this is a correct method for performing an exact match or whether the rule is just matching on the message(s) because the check against the sysmon_data_process field is matching and my final line within the when section of the rule is being ignored.

Thanks,
Jesse

Since you’re chaining the conditions in the when-clause with logical AND, all conditions have to match for the rule to be evaluated.

Thanks for that, @jochen

So, is the to_string($message.sysmon_event_id) == "3" a valid way to perform an exact match within the pipeline rule?

From what I can see within my Graylog system, it does appear to be working but, just wanting to make sure that I’m doing things in a /correct/ Graylog way.

Thanks,
Jesse

Yes. If it wasn’t, your rule wouldn’t work.
http://docs.graylog.org/en/2.4/pages/pipelines/rules.html#conditions

I did think that but, wanted to double-check with others – Sanity check and all!

Solution has been marked.

Thanks again