Pipeline rules only being applied to default "All Messages" Stream


#1

v. 2.2.0
I am unable to apply Pipeline Rules to Streams other than the default “All Messages” stream. When the Pipeline connection is set to any other Stream the rules are not applied. Messages appear to be going through the Pipeline either way.

Here is the Rule:

rule "ssh_session_opened extraction"
when
  has_field("type") && to_string($message.type) == "syslog"
then
  let message_field = to_string($message.message);
  let action = grok(pattern: "%{SYSLOG_SSHD_SESSISON_OPENED}", value: message_field, only_named_captures: true);
  set_fields(action);
end

%{SYSLOG_SSHD_SESSISON_OPENED} is defined in Graylog as:

%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:\[%{POSINT:syslog_pid}\])?: %{WORD:pam_type}\(%{DATA:pam_message}\): session opened for user %{USER:pam_username} by \(uid=%{USERNAME:pam_uid:int}\)

#2

I was able to resolve this by creating a route_to_stream rule. Rereading the “The All messages stream” section of the documentation cleared things up.