Spesific message still comming what to do?


(Achrafbsecure) #1

i create a rule to delete some message but my message still coming i d’ont know the raison
rule “delete msg_software_reporter_tool.exe”
when
has_field(“EventID”)==“865” && has_field(“message”)==“software_reporter_tool.exe” && has_field(“ProviderGuid”)=="{7D29D58A-931A-40AC-8743-48C733045548}"
then
drop_message();
end


(Jan Doberstein) #2

First, please format your topics with Markdown

https://community.graylog.org/faq#format-markdown

Your rule try to use a shortcut that is not working. See the documentation: http://docs.graylog.org/en/2.4/pages/pipelines/rules.html#rules

the when condition would need to be similar to:

has_field("one")  && contains("software_reporter_tool", to_string($messages.one))

or

has_field("one")  && to_string($messages.one) == "{7D29D58A-931A-40AC-8743-48C733045548}"

depending if you want to compare this to the complete string or if you just want to check if the field contains specific values.


(Achrafbsecure) #3

First, thanks for your reply

the i 'm sorry for the format cause i 'm new your community


(Achrafbsecure) #4

hello again
when i try to write your code i receive error on the line `to_string($messages.one) == “{7D29D58A-931A-40AC-8743-48C733045548}”


(Jan Doberstein) #5

ok.

without sharing any information in addition, nobody is able to help you.


(Achrafbsecure) #6

thanks for repluing me
here is the message

Blockquote
Alert Description: Stream had 2 messages in the last 5 minutes with trigger condition more than 0 messages. (Current grace time: 0 minutes)
Date: 2018-07-26T17:44:36.589Z
Stream ID: 59512d24cb509906b4833058
Stream title: Unauthorized Softs
Stream description: SRP Event logs
Alert Condition Title: Unauthorized Soft Alert
Stream URL: http://siem.bsecure.fr:9000/streams/59512d24cb509906b4833058/messages?rangetype=absolute&from=2018-07-26T17:39:36.589Z&to=2018-07-26T17:44:36.589Z&q=*

Triggered condition: 5612a277-a102-4c39-bcbf-30c510c52fc0:message_count={time: 5, threshold_type: more, threshold: 0, grace: 0, repeat notifications: true}, stream:={59512d24cb509906b4833058: “Unauthorized Softs”}
##########

Last messages accounting for this alert:
source: POSTE-DOSSANTOS.CABINET-LUGASSY.COM | message: L’accès à C:\Users\ddossantos\AppData\Local\Google\Chrome\User Data\SwReporter\31.164.200\software_reporter_tool.exe a été restreint par votre administrateur par le niveau de stratégie de restriction du logiciel. { Task: 0 | Keywords: -9223372036854775808 | EventType: WARNING | Opcode: Informations | gl2_source_input: 57e2dbf9cb50990707373d13 | SeverityValue: 3 | Version: 0 | UserID: S-1-5-21-328836716-1436243881-743116339-1106 | gl2_source_node: 7bd1db4f-bd91-4c64-aacc-ae5f29dd7fa1 | ProcessID: 2896 | timestamp: 2018-07-26T17:43:13.000Z | OpcodeValue: 0 | SourceModuleType: im_msvistalog | level: 4 | Channel: Application | streams: [59512d24cb509906b4833058] | SourceName: Microsoft-Windows-SoftwareRestrictionPolicies | Severity: WARNING | AccountType: User | EventReceivedTime: 2018-07-26 19:43:41 | SourceModuleName: in | ProviderGuid: {7D29D58A-931A-40AC-8743-48C733045548} | full_message: L’accès à C:\Users\ddossantos\AppData\Local\Google\Chrome\User Data\SwReporter\31.164.200\software_reporter_tool.exe a été restreint par votre administrateur par le niveau de stratégie de restriction du logiciel. | ThreadID: 5988 | EventID: 865 | _id: 6f447ab0-90fb-11e8-9cf7-000c29d37ed8 | Domain: CABINET-LUGASSY | RecordNumber: 399598 | AccountName: ddossantos }

Blockquote
my rule
rule “rule to delete logs that contain software_reporter_tool.exe”
when
// delete logs of software_reporter_tool.exe
has_field(“message”) AND
contains(“software_reporter_tool.exe”, to_string($message.message))
then
drop_message();
end


(system) #7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.