Rules required to delete a specific log

Graylog Central (peer support)
1

hello guys :slight_smile:

I am trying to create a rule that indicates how many users are currently connected to a server.

The message processors are in the following order: Message Filter Chain-Pipeline Processor-AWS Instance Name Lookup-GeoIP Resolver.

There is one stream called login_user for me, and only the ‘new session’ log goes into it.

Now here are the conditions!

  1. When a log containing the string ‘Remove session’ comes into ‘All messages’ stream, the session number should be extracted from the log.

  2. After that, you need to find the ‘New session’ log in the ‘login_user’ stream that matches the session number of ‘Remove session’ and delete it.

This is the rule I want, but it may be difficult to satisfy the condition.

If so, I would like to be able to at least delete any one log from the ‘login_user’ stream without extracting the session number.

These are the rules I’ve made up a bit.

rule "Remove_Messages"
when
   contains(to_string($message.message), ("Removed session"))
then
   remove_from_stream("login_user");
end

This rule simply deletes the log containing ‘Remove session’ from the ‘login_user’ stream.

I also don’t know how to delete a specific message using the ‘remove_from_stream’ function.

I definitely don’t understand the pipeline, and I don’t have the skills to solve this problem.

I desperately need help now. 8ㅁ8

2

Hello @pat-bung && Welcome

I think something like this.

rule "Remove_Messages"
when
   contains(to_string($message.message), "Removed session", true)
then
 drop_message();
end

You can also use the “Simulator” in Graylog this is located System/Pipeline to make sure the pipeline rule works.

Is this for Windows Devices? If so you can create rules on that stream.

For Example:


image
image1875×671 42.4 KB

Then make a Widget or Notification from there.

image
image919×217 8.16 KB

I have different streams for logon because Windows Creates a different LogonType depending how you logon to a device.

EDIT: When you create a pipeline attach it to the stream you want , for instance your stream called login_user

3

Thanks for the quick reply!!
Is it okay if I ask you one more thing?

I’m using ubuntu and when a user disconnects a session, the user count should go down by one in the graylog dashboard.

Is it possible without using a pipeline?

4

It should, This depends on how you set up your widget,
Example:

image
image1735×614 26.7 KB

If you have it set for a day, minutes, or hours that user will disappear after time is up.

EDIT: For disconnected user I have a separate stream for that this would be for to many authentication attempts.

image
image1884×506 36.6 KB

1 Like
5

Thanks for the details! :smile:
I’ll try my best based on what you told me!
@gsmith I will never forget this help.

1 Like
6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.