I have tried everything to get this pipeline to work and I can’t seem to get the rename/set field portion of this to work. The routing portion works but the setting field names doesn’t I have tried every combination I can think of, I had to change the $message.winlog_event_id to $message.winlogbeat_event_id but I can’t figure out how to make it work with the Paramaters, I have 2 different options I have tried in here for Param 3 & 8 and neither one work. I feel like I’ve almost gotten it but I can’t find any documentation about using the variable $message with specific fields.
----------
rule "Printer_Tracking"
when
// Function converts generic fields names to useful ones
// then removes the unhelpful fieldnames because we don't want them
to_string($message.winlogbeat_event_id) == "307"
then
// change fields to something that makes sense.
set_field("print_user", $message.winlogbeat_winlog_user_data_Param3);
set_field("printed_from", $message._winlog_user_data_Param4);
set_field("printer_name", $message._winlog_user_data_Param5);
set_field("printed_from_ip", $message._winlog_user_data_Param6);
set_field("page_count", to_long($message.user_data_Param8));
remove_field("winlogbeat_winlog_user_data_Param1"); // document number
remove_field("winlog_user_data_Param2"); // action i.e. "Print Document"
remove_field("winlog_user_data_Param3");
remove_field("winlog_user_data_Param4");
remove_field("winlog_user_data_Param5");
remove_field("winlog_user_data_Param6");
remove_field("winlog_user_data_Param7"); //size in bytes
remove_field("winlog_user_data_Param8");
remove_field("winlog_process_thread_id"); // who cares about the thread id? Not me.
remove_field("winlog_process_pid"); // who cares about the pid? Also Not me.
remove_field("winlog_opcode"); //
// Pull out for reporting
route_to_stream("Printing_reports_stream");
end
------------
Any thoughts/advice?
Moved to a dedicated thread.
Printer tracking pipeline - $message_ field names not working for set or rename - Templates and Rules Exchange / Pipeline Rules - Graylog Community
Long story short we had 2 problems, 1 we needed to remove the appending of winlogbeats from the input & 2 we had miss-named the stream Printer_reports_stream rather than Printing_reports_stream. Just for anyone else that attempts this dashboard.