I have two pipelines to change server names - I can watch the Graylog log file showing the source name being swapped
but when I view look at the search results, the source name is back to “brunswickxtm”
however an identical rule for another firewall works and the source name change is reflected in the search results.
Rule that works
rule "Email AFS" when to_string($message.source) == "EMAILAFS" then set_field("source", "WatchGuard M300"); end
Rule that doesn’t work.
rule "BRXTM" when to_string($message.source) == "BRUNSWICKXTM" then debug($message.source); set_field("source", "WatchGuard XTM26W"); debug($message.source); end
The debug messages trigger when watching the log.