Hi, @gsmith I have created a rule in pipeline for certain hours means when (off hours), I have share the rule as well but it didn’t work for me.
My graylog version is 5.1.4
rule “Between 6 PM and 6 AM”
when
( to_long(to_date($message.timestamp, “UTC”).hourOfDay) >= 6 && to_long(to_date($message.timestamp, “UTC”).hourOfDay) <= 18 )
then
set_field(“trigger_workhours_off”, true);
end
rule “Route to stream”
when
has_field(“trigger_workhours_off”)
then
route_to_stream(“Logins after workhour”);
end
Thanks in advance
Hi @aliraxa,
Are these both written as a single rule? If so, split them into two.
Second, are both of these rules in the same stage? If so, move one to the second stage.
Hey @aliraxa
Maybe try something like this example , you need to adjust the time
rule "Between 6 AM and 6 PM"
when
( to_long(to_date($message.timestamp, "American/Chicago").hourOfDay) >= 0 AND to_long(to_date($message.timestamp, "American/Chicago").hourOfDay) <= 6 ) OR
( to_long(to_date($message.timestamp, "American/Chicago").hourOfDay) >= 18 AND to_long(to_date($message.timestamp, "American/Chicago").hourOfDay) <= 0 )
then
set_field("trigger_workhours_off", true);
end
Then route to stream for the alert
Rule "Route to stream"
when
has_field("trigger_workhours_off")
then
route_to_stream(id:"5d8acba383d72e04cba96317");
end
Stages look like this, and yeah I made this 4 years ago 
I forgot to mention you’ll notice a 0 for time that would be midnight. it seams your missing parts for the time frame. For the stream perhaps use the Stream ID instead of the name, you can find the stream ID in your URL, so if you click the stream you want, you should see it here…
Try Stage 0 for rule Between 6 PM and 6 AM
then
Stage 1 for route to stream. Keep it simple to you get hang of it.
Result:
Dont forget this is based off of a stream with the following rule set
- LogonType must match exactly 2 (Interactive (logon at keyboard and screen of system))
- EventID must match exactly 4624 (User logged in)
- full_message must contain An account was successfully logged on.
Reason why i created 3 rules was after testing I noticed Window Servers can use EventID 4624 for different logon types, some can be a service or app, so i had to get rid of the white noise. you probably can do it all from a pipeline but I use that same stream for other issues just never bothered changing it since its been work for years. Hope that helps.
Hi @gsmith Thanks. for your time, I have applied the rules, but the change I have made is, I have change the message process configuration
go to system → configuration → message processors and it works for me
AWS Instance Name Lookup
Stream Rule Processor
GeoIP Resolver
Message Filter Chain
Pipeline Processor
1 Like
Hi @gsmith No worries, I just want to tell you the OR operator isn’t working for me I have just made the changes in first line and its work for me
( to_long(to_date($message.timestamp, “American/Chicago”).hourOfDay) >= 18 AND to_long(to_date($message.timestamp, “American/Chicago”).hourOfDay) <= 23 )
Thanks again for your help
1 Like