Stream Rule - is wildcard possible

anonymous · November 24, 2017, 8:39pm

Good day,

I’ve been trying to figure out if there is a way to create a stream rule based on a string within the message body.

I’ve looked through the internet and haven’t been able to find anything.

I’m able to sort my results on the elastic search with wildcard within the message body however for stream rule it appears to be a different set of rules.

I have snort setup to pipe information to our graylog and ultimately I would like to set email alerts on certain information coming from snort.

Please help. thanks.

Johnny

sachin · November 25, 2017, 5:50am

You can use the “contain” filter for your stream rules. streamedit

anonymous · November 27, 2017, 3:16pm

Hi Sachin,

thanks. Which version of graylog are you using? I don’t have contain as a selection? I’m using graylog 2.0

screenshot

Cheers,
Johnny

jochen · November 27, 2017, 3:28pm

The “contains” condition has been added in Graylog 2.1.2.

sachin · November 27, 2017, 3:43pm

Use 2.3
There are many cool enhancements made.

anonymous · November 27, 2017, 4:10pm

Thanks,

I’m sold on the idea of new enhancements.

=)

system · December 11, 2017, 4:10pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Filter Stream with wildcard Graylog Central (peer support)	2	496	December 16, 2023
Problem with stream rules Graylog Central (peer support)	7	781	November 22, 2023
Search Within Stream Shows Other Streams Graylog Central (peer support)	5	1924	December 10, 2018
Pipeline rule: contains on list Graylog Central (peer support) pipeline-rules , route-to-streampl	4	5674	May 22, 2019
Unable to create filters using * wildcard with filebeat_log_file_path: Graylog Central (peer support)	5	5021	June 20, 2019

Stream Rule - is wildcard possible

Related topics