Problem with stream rules

Hello,

I have a question with creating rules for streams.

The Graylog server receives logs from different machines through a UDP Syslog input. Machines have different names depending on the environment they belong to, for example, development machines start with the letter d.

I have created a stream so that the messages from the development machines are sent to a specific index.

In the stream rules, I created a “match input” rule to use the syslog input logs and a second rule to filter on machine names, but it doesn’t work.

When I do a search for “source:d*” it filters me only for machines that start with that letter, but when I use the rule it doesn’t work:
Filed: source
Type: Match regular expression
Value: d*

All the logs from the input enter the stream, but filtering by name will not be performed. What am I doing wrong?

Thanks greetings.

but it doesn’t work

Can you clarify what is not working and what you are expecting to happen?

All the logs from the input enter the stream

Which logs and which stream?

Can you also provide an example of a log message you expect to match your stream rule as well as a screenshot of your screen rule(s)?

Good morning,

The problem is that the stream rules are not working as expected, it is probably an error in their configuration but I don’t know what the correct way would be.

There are two rules, one of them for the source whose name begins with the letter p and another for the source that begins with d.

Source starts with p:

image753×249 18.3 KB

Source starts with d:

image789×301 19.3 KB

Rule configuration:

When i do a search with this parameter, it works:

image1252×343 14.1 KB

The problem is that filtering is not being performed, the two streams are receiving the same data.

The logs that I want to direct through these streams are all those that come from the syslog upd input and meet the condition of the first letter of the source.

Thanks greetings.

Can you share a sample log message that is not matching? You can scrub/redact, but i’d like to test and see how it behaves.

Thanks.

Good morning,

image1392×384 34.1 KB

For example, this log, the source is pl*** so I would like it to only enter through the SYSLOG_PRO stream, using the source:p* rule, but it is entering through the two configured streams at the same time.

The stream rules are not being met, how should they be configured to meet this objective?

Thanks greetings.

Very interesting. I did a quick test and using the same stream rule (e.g. d*) it does match when i would expect it to not match. There is no d character anywhere in the string plaphp92v.

image1552×1094 81.7 KB

I experimented with some different regex patterns, and this one seems to work as expected without false positives:

To match:

To not match:

image708×164 8.13 KB

Can you try changing your stream rules to ^p and ^d respectively?

Good morning,

Sorry for the delay in answering.

I have been testing and configuring the stream rule as you have indicated and the filtering is done correctly using the first letter of the source as a reference.

In one of the streams it is only filtering the sources that begin with “d” and in the other with “p” as expected.

The only problem I’m having is that there are some cases in which filtering is not being applied, they are sources whose name is followed by the domain, for example “dapp1.local”. In this case the rule is not being applied and the log enters through the “All messages” stream

Thank you so much.

All the best.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.