Test Against Stream ALL GREEN but message not routed in stream

(Andreaconsadoriw) #1

Dear all,
i’ve two stream:

the fist one called ZZZ_MyFirewall where i collect log with this streamrule

Field firewallname must be present

seconda callet to_check with this streamrule

Field action must match exactly Allow
Field PkSource_geolocation must be present

now i got this message

source		firewallname	PkDestination_geolocation	PkSource_geolocation	myfirewall		95.4667,8.6333				91.8919,12.5113

if i click on it graylog say that this message will be router to ZZZ_MyFirewall
but if i test if on streamrule the test stream is ok (all rule match)

so how i can create a more specific stream rule to fist match this kind of message and a second “catch all for this source” stream?

(Jochen) #2

Are all the message fields available in the message when it’s received by Graylog or are you creating the fields in an extractor or in a pipeline rule?

You can use the processing pipelines to route messages into streams with the route_to_stream() function.

(Andreaconsadoriw) #3

fields are created by extractor rules

(system) closed #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.