Stream Routing Issue


(Naren) #1

Hello Community,

I am trying to write a pipeline rule to route the message to a stream Suspected Attack if a specific condition is met. The moment I fire up pipeline rule, Graylog becomes too slow and below notification triggers. Logic seems to be fine but not sure whats going wrong:( It would be great if some one help resolve this issue. Thank you…

Notification:
Nodes with too long GC pauses (triggered a few seconds ago)
There are Graylog nodes on which the garbage collector runs too long. Garbage collection runs should be as short as possible. Please check whether those nodes are healthy. (Node: eece24e7-ff19-491e-9494-ee5a713d2f38, GC duration: 2321 ms, GC threshold: 1000 ms)

Pipeline Rule:
Stage 0:
rule "Cross Site Scripting"
when
((((((has_field(“dst”) AND not contains(to_string($message.dst), “N/A”)) || (has_field(“src”) AND not contains(to_string($message.src), “N/A”))) AND not contains(to_string($message.src), “8.8.8.8”)) AND contains(to_string($message.name), “Cross Site Scripting”)) AND not contains(to_string($message.severity), “Low”)) AND not contains (to_string($message.cat), “Reconnaissance”))
then
set_field(“suspected_attack”, true);
end

Stage 1:
rule "Suspected Attacks Inflate Rule"
when
to_bool($message.suspected_attack)
then
let mess = clone_message();
set_field(“cloned”,true);
route_to_stream(name: “Suspected Attack”, message:mess);
end

Note:

  • I am new to Graylog.
  • I want message to exist in both streams
  • I already tried using Stream ID but no luck :frowning:
  • Above pipeline rules are tagged to ALL messages stream.
  • Graylog Version: 2.2.3+7adc951, codename Stiegl
  • Both the streams are pointed towards same index.

(system) #2

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.