Dear all,
i’ve two stream:
the fist one called ZZZ_MyFirewall where i collect log with this streamrule
Field firewallname must be present
seconda callet to_check with this streamrule
Field action must match exactly Allow
Field PkSource_geolocation must be present
now i got this message
source firewallname PkDestination_geolocation PkSource_geolocation
10.0.0.1 myfirewall 95.4667,8.6333 91.8919,12.5113
if i click on it graylog say that this message will be router to ZZZ_MyFirewall
but if i test if on streamrule the test stream is ok (all rule match)
so how i can create a more specific stream rule to fist match this kind of message and a second “catch all for this source” stream?