Rules required to delete a specific log

Graylog Central (peer support)
1

hello guys :slight_smile:

I am trying to create a rule that indicates how many users are currently connected to a server.

The message processors are in the following order: Message Filter Chain-Pipeline Processor-AWS Instance Name Lookup-GeoIP Resolver.

There is one stream called login_user for me, and only the ā€˜new sessionā€™ log goes into it.

Now here are the conditions!

  1. When a log containing the string ā€˜Remove sessionā€™ comes into ā€˜All messagesā€™ stream, the session number should be extracted from the log.

  2. After that, you need to find the ā€˜New sessionā€™ log in the ā€˜login_userā€™ stream that matches the session number of ā€˜Remove sessionā€™ and delete it.

This is the rule I want, but it may be difficult to satisfy the condition.

If so, I would like to be able to at least delete any one log from the ā€˜login_userā€™ stream without extracting the session number.

These are the rules Iā€™ve made up a bit.

rule "Remove_Messages"
when
   contains(to_string($message.message), ("Removed session"))
then
   remove_from_stream("login_user");
end

This rule simply deletes the log containing ā€˜Remove sessionā€™ from the ā€˜login_userā€™ stream.

I also donā€™t know how to delete a specific message using the ā€˜remove_from_streamā€™ function.

I definitely donā€™t understand the pipeline, and I donā€™t have the skills to solve this problem.

I desperately need help now. 8慁8

2

Hello @pat-bung && Welcome

I think something like this.

rule "Remove_Messages"
when
   contains(to_string($message.message), "Removed session", true)
then
 drop_message();
end

You can also use the ā€œSimulatorā€ in Graylog this is located System/Pipeline to make sure the pipeline rule works.

Is this for Windows Devices? If so you can create rules on that stream.

For Example:ā€¦

image
image1875Ɨ671 42.4 KB

Then make a Widget or Notification from there.

image
image919Ɨ217 8.16 KB

I have different streams for logon because Windows Creates a different LogonType depending how you logon to a device.

EDIT: When you create a pipeline attach it to the stream you want , for instance your stream called login_user

3

Thanks for the quick reply!!
Is it okay if I ask you one more thing?

Iā€™m using ubuntu and when a user disconnects a session, the user count should go down by one in the graylog dashboard.

Is it possible without using a pipeline?

4

It should, This depends on how you set up your widget,
Example:

image
image1735Ɨ614 26.7 KB

If you have it set for a day, minutes, or hours that user will disappear after time is up.

EDIT: For disconnected user I have a separate stream for that this would be for to many authentication attempts.

image
image1884Ɨ506 36.6 KB

5

Thanks for the details! :smile:
Iā€™ll try my best based on what you told me!
@gsmith I will never forget this help.