Rule does not work as expected

schurd · June 28, 2017, 12:03pm

Hello All,

following rule should just drop the message if the log level is “7”:

rule "drop_level7_netscaler"
when
    syslog_level($message.level) == "7"
then
    drop_message();
end

Somehow this does not work.
Yes, the rule is part of a pipeline, which is attached to a stream.
I use Graylog 2.2.3.
The pipeline processor is active.

Thanks in advance for any help.

Best regards,

Dietmar Schur

maniel · June 28, 2017, 12:23pm

is the message level field set by extractor? if so, then you have to change message processors order in System / Configurations and move the Pipeline Processor to the end, after Message Filter Chain

schurd · June 28, 2017, 12:31pm

Hallo Maniel,

thanks for the quick reply.

Yes, if I swtich the order in
Message Processors Configuration
to:
1 GeoIP Resolver disabled
2 Message Filter Chain active
3 Pipeline Processor active

Then I get some throughput in the puipeline. This was always 0 before this change.
Before, the Pipeline Processor was second (2).

But in the respective stream I see lots of messages which should be dropped by the rule.
What is here missing?

What does drop_message() do? Does it really drop the message from all streams, once and for ever?

Best regards,

Dietmar Schurr

jochen · June 28, 2017, 12:33pm

The syslog_level() function converts the syslog severity number into its string representation, so syslog_level(7) will yield "Debug".

You could simply check the value of $message.level instead of using the syslog_level() function.

schurd · June 28, 2017, 12:44pm

Hello Jochen,
thank you very much. The problem is solved.
The working rule is:

rule "drop_level7_netscaler"
when
    to_string($message.level) == "7"
then
    drop_message();
end

Also I needed to switch the Messages Processor Configuration.

Now the Stream gets no more level 7 messages.

Great

Best regards,
Dietmar Schurr

jochen · June 28, 2017, 1:04pm

And even the to_string() method is not necessary if you compare to the numeric value.

schurd · June 28, 2017, 1:16pm

Hello Jooochen,

but

rule "drop_level7_netscaler"
when
    $message.level == 7
then
    drop_message();
end

does not work. The messages are not dropped.

Regards,

Dietmar

schurd · June 28, 2017, 1:23pm

Hello,

the rule:

rule "drop_level7_netscaler"
when
    to_long($message.level) > 5
then
    drop_message();
end

works well and filters all messages with level higher than 5.

Regards,

Dietmar

system · July 12, 2017, 1:24pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Dropping messages using Pipelines Graylog Central (peer support) pipeline-rules , debuggingpl	4	6751	August 2, 2019
Error in rule that drop log message Graylog Central (peer support)	4	512	February 15, 2018
Copy Stream in Graylog Graylog Central (peer support)	5	963	February 5, 2018
Unable to Drop syslog messages based on message contents Graylog Central (peer support)	12	990	September 4, 2022
Drop message before "All Messages" stream Graylog Central (peer support) pipeline-rules , route-to-streampl	3	1596	April 7, 2020

Rule does not work as expected

Related Topics