Pipeline simulator and message fields


(Francois) #1

I’m trying to figure out this pipeline feature for the purpose of dropping some messages that I simply do not care about. Basically, I’m looking to do blacklisting. In order to do that filtering, I am looking for the existence of specific fields that would be created by an extractor. When I go to the pipeline simulator and paste in a copy of the raw message, select a Message input, it doesn’t seem to run that message through any extractor.

What am I missing here?

I am using the “All messages” stream.

The rule that I am trying to use is:

rule “has firewall fields”
when
has_field(“FW_Src_IPv4”) && has_field(“FW_Dst_IPv4”)
then
end

Thanks!


(Jan Doberstein) #2

what is the processing order over at System > Configuration? the pipelines should be after the Message filter Chain

and your rule need the drop - http://docs.graylog.org/en/2.4/pages/pipelines/functions.html#drop-message - if you really want to drop.


(Francois) #3

Sorry, I failed to mention that I have already ensured that the pipeline is after the Message filter Chain.

The rule I posted was only the one to figure out if the message is from the firewall. I have another rule that will do the drop of the message.

As I indicated earlier, the field that should have been created by the extractor are not showing up in the simulator.

How would I troubleshoot that?

Thanks!


(Francois) #4

Bump this thread. Jan?

Thanks!


(Jan Doberstein) #5

the problem with the simulator is, that the message need to look like a message that is received by graylog - if no extractor runs on that message it looks like the message did not look like raw message for that input.

For Cisco devices that would be something like:

<189>91: *Mar 15 2018 21:48:41.663 UTC: %SYS-5-CONFIG_I: Configured from console by cisco on vty0 (192.168.200.1)

(Francois) #6

Ok, so if I use the following, which is the taken from the full_message field in one of the events and supply that to the “Raw Message” field:

<150>Mar 22 2018 12:06:58 Henderson-ASA : %ASA-6-106100: access-list 200 denied tcp inside/10.55.172.187(60909) -> outside/157.55.170.113(5671) hit-cnt 1 first hit [0x912b3b50, 0xda8ccb71]

Which is taken from an ASA firewall, the extractors do not fire at all. The extractors did work properly when this message came in - it’s just the simulator is not.


(system) #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.