I’m trying to figure out this pipeline feature for the purpose of dropping some messages that I simply do not care about. Basically, I’m looking to do blacklisting. In order to do that filtering, I am looking for the existence of specific fields that would be created by an extractor. When I go to the pipeline simulator and paste in a copy of the raw message, select a Message input, it doesn’t seem to run that message through any extractor.
What am I missing here?
I am using the “All messages” stream.
The rule that I am trying to use is:
rule “has firewall fields”
when
has_field(“FW_Src_IPv4”) && has_field(“FW_Dst_IPv4”)
then
end
the problem with the simulator is, that the message need to look like a message that is received by graylog - if no extractor runs on that message it looks like the message did not look like raw message for that input.
For Cisco devices that would be something like:
<189>91: *Mar 15 2018 21:48:41.663 UTC: %SYS-5-CONFIG_I: Configured from console by cisco on vty0 (192.168.200.1)
Ok, so if I use the following, which is the taken from the full_message field in one of the events and supply that to the “Raw Message” field:
<150>Mar 22 2018 12:06:58 Henderson-ASA : %ASA-6-106100: access-list 200 denied tcp inside/10.55.172.187(60909) -> outside/157.55.170.113(5671) hit-cnt 1 first hit [0x912b3b50, 0xda8ccb71]
Which is taken from an ASA firewall, the extractors do not fire at all. The extractors did work properly when this message came in - it’s just the simulator is not.
