Syslog pipeline rules doesn't apply

Graylog Central (peer support)
1

Hello, I have a Graylog server running with a syslog input.
Messages we’re getting are way too big and contains too much field for us.
I tried to use pipeline to remove fields. In the simulator I have the result I want, but in my stream nothing changed.

Here is an extract of my rule (can’t put all) :

rule "remove fields"
when
    has_field("message")
then
    remove_field("logid");
    remove_field("subtype");
    remove_field("type");
    remove_field("tz");
    remove_field("vd");
end

And here a message :

<189>date=2023-06-27 time=08:43:51 eventtime=1687841031780732737 logid="0000000015" type="traffic" subtype="forward" level="notice" vd="Traffic" srcintfrole="undefined"  proto=6 action="start" policyid=20 policytype="policy"

As I said, I tried in the simulator. Every field got removed, but not in my stream, I keep seeing them.

2

Make sure your messages are being put into the correct stream and that the pipeline is connected to that stream in the pipeline configuration.

3

Hello, I checked my pipeline, it is well connected to my stream.
It seems to work now. I don’t really understand why. But at least it works.
Thanks all the same

4

Check the time stamps on your collected messages. If they are off, it can lead to a delay in messages showing up in the UI.

5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.