Pipeline rules to sort syslog input to separate streams based on device, not working

I have created a pipeline with rules to sort the incoming Cisco ASA Syslog messages (Default Stream) based on the ASA’s Hostname into a separate stream for each ASA Host. I see the pipeline getting throughput but the rules do not appear to be sorting anything and the separate streams remain empty.

Running Graylog Server v. 5.1.7

rule “Sort Cisco ASA Syslogs by Host - FW”
has_field(“host”) && to_string($message.host) == “host1”

I have 2 additional rules for the other 2 ASA devices as written above for Host1. They are all 3 in my single Stage 0 connected to the Default Steam that is currently receiving the data from all 3 devices.

Each of the 3 new streams I want this data routed to also have a rule defined for each looking for the “Host” field to match the device’s hostname that is supposed to be routing to that stream.

I also verified that the Message Filter Chain is located above Pipeline Processor in the Message Processors Config.

Am I going about this the right way? is “host” the correct name for the field denoting a Cisco ASA’s hostname/device_name?

Hey @ckilmer75

If all three rule are on stage “0” when one hits the other two dont get used. Try separting each rule to there own pipe.

I had it that way previously and it didn’t work which is why I tried the current way. I’ll separate them out again and see if something changed.

Edit: I put them each in their own stage and they are still not processing messages. I see Stage 0 has throughput coming in, but it’s not processing it.

Okay, I solved the issue. I gave up on trying to sort via Hostname and instead sorted via Source (IP) and now the rules are sorting to the correct streams.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.