Rewritng message with Drools


(Hitsu Yaga) #1

Dear all,
I have just built a Graylog server to collect log message from Juniper firewall. I have a requirements that I only want to receive log from some customers and default, deny all message. I write a drl file as below but now i don’t receive any log message. So I wonder how graylog-instance read and executive my drl file?. Anyone please help me to address this problem.

import org.graylog2.plugin.Message
import java.util.regex.Matcher
import java.util.regex.Pattern

rule "Agree all messages that start with Customer-A-Zone"
when
m : Message( getField(“source-zone-name”) == “Customer-A-Zone” )
then
m.setFilterOut(false);
end

rule "Blacklist all message from SRX0 firewall"
when
m: Message( getField(“source”) == “SRX0” )
then
m.setFilterOut(true);
end


(Jochen) #2

I would recommend using processing pipeline rules to remove messages: http://docs.graylog.org/en/2.2/pages/pipelines.html

Support for Drools will be deprecated sooner or later in favor of the processing pipeline.


Drop message with rules.drl : Problem
(T J Yang) #3

@jochen, thanks for drool’s road-map information.