Pipeline rules only being applied to default "All Messages" Stream

imperatives · February 16, 2017, 6:26pm

v. 2.2.0
I am unable to apply Pipeline Rules to Streams other than the default “All Messages” stream. When the Pipeline connection is set to any other Stream the rules are not applied. Messages appear to be going through the Pipeline either way.

Here is the Rule:

rule "ssh_session_opened extraction"
when
  has_field("type") && to_string($message.type) == "syslog"
then
  let message_field = to_string($message.message);
  let action = grok(pattern: "%{SYSLOG_SSHD_SESSISON_OPENED}", value: message_field, only_named_captures: true);
  set_fields(action);
end

%{SYSLOG_SSHD_SESSISON_OPENED} is defined in Graylog as:

%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{WORD:pam_type}\(%{DATA:pam_message}\): session opened for user %{USER:pam_username} by \(uid=%{USERNAME:pam_uid:int}\)

imperatives · February 16, 2017, 6:47pm

I was able to resolve this by creating a route_to_stream rule. Rereading the “The All messages stream” section of the documentation cleared things up.

Topic		Replies	Views
Pipeline Rules Works if Streams is set to "All Messages" but not specific Stream Graylog Central (peer support) pipeline-rules	3	579	June 7, 2021
Another pipleline question Graylog Central (peer support) pipeline-rules	6	435	March 1, 2022
Pipeline rule does not apply to stream messages Graylog Central (peer support) pipeline-rules , debuggingpl	4	1485	November 23, 2017
Messages not routing into stream Graylog Central (peer support) pipeline-rules , route-to-streampl	4	2290	May 25, 2018
Drop message before "All Messages" stream Graylog Central (peer support) pipeline-rules , route-to-streampl	3	1746	April 7, 2020

Pipeline rules only being applied to default "All Messages" Stream

Related topics