Route to stream - Forwarder Input

bavarian · October 24, 2023, 8:38am

I have a Graylog Forwarder. I want to route the input from the Graylog Forwarder into a stream. Right now the logs arrive in the Default Stream.

For normal inputs, I make pipeline rules with the route to stream function.
Based on the input id or other fields, such as data path of the logs.
E.g.

rule "route to stream x"
when
    from_input(id:"64edf8eede67ea565c9ac431")
then
    route_to_stream(id: "64f6f1dba00f8f218c010726", remove_from_default: true);

I tried the same pipeline rule for the Graylog forwarder. However, I used the id of the Forwarder Input in Graylog itself, which did not work.

After that I tried to use the input id of the input opened on the Forwarder side itself (Input Profile). Which did not work either.

My logs from the Forwarder still arrive in the Default Stream.

How am I able to get the Input from the Forwarder into a specific steam? Thank you.

Joel_Duffield · October 24, 2023, 12:03pm

What version of Graylog are you running?

bavarian · October 24, 2023, 12:07pm

At the moment we run 5.1.2

Joel_Duffield · October 24, 2023, 1:04pm

How fine grained does it need to be, do you have more than one forwarder running the same input profile with the same inputs?

Joel_Duffield · October 24, 2023, 1:14pm

I would look at one of the messages that should have been routed, and see the vaoues for these two fields.

gl2_source_input (this is the input from the input profile, this id will be the same across all forwarders with the same profile applied)
gl2_source_node (this should be the unique forwarder or node of the cluster that the message was delivered to.)

The two of those combined should get your routing working.

bavarian · October 24, 2023, 2:01pm

It has not to be fine grained. Just one Forwarder with one Input Profile (having two inputs)

Ok.
gl2_source_input i do find easily: 6527b2eb296e5515b87192fc
gl2_source_node would be: 89b10b61-d650-49a4-a04b-82b99efca907

The problem is, how to combine them both?

ihe · October 24, 2023, 3:55pm

very easy

rule "route to stream x"
when
    to_string($message.gl2_source_input) == "6527b2eb296e5515b87192fc" AND
    to_string($message.gl2_source_node) == "89b10b61-d650-49a4-a04b-82b99efca907"
then
    route_to_stream(id: "64f6f1dba00f8f218c010726", remove_from_default: true);

Joel_Duffield · October 24, 2023, 8:58pm

^ what @ihe said!!!

bavarian · October 25, 2023, 6:33am

Thank you very much for your help @Joel_Duffield and @ihe . It is working now.

system · November 8, 2023, 6:33am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Configuration of streams Graylog Central (peer support) pipeline-rules , route-to-streampl	9	3333	July 15, 2020
Pipeline help - Route to different index Graylog Central (peer support) pipeline-rules , route-to-streampl	9	3997	June 19, 2018
Routing Messages Across Streams and Index Sets Graylog Central (peer support) pipeline-rules , route-to-streampl	2	1765	February 8, 2018
Rules for routing messages to different indexes Graylog Central (peer support) route-to-streampl	9	577	March 22, 2024
Best practice for splitting one input into multiple indices Graylog Central (peer support) pipeline-rules , route-to-streampl	1	2272	August 7, 2020

Route to stream - Forwarder Input

Related topics