Unable to Drop syslog messages based on message contents

daniel.lang · August 11, 2022, 12:01am

HI All,

I am encountering an issue with pipeline configuration where I seem to be unable to drop Syslog messages based on the message contents.

I have done some googling / searching of the forum and the other suggestions don’t seem to be helping.

I am running Graylog 4.1.14-1 on Ubuntu 22.04.1 LTS

An example of the message type I am trying to drop is below:

%CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on GigabitEthernet1/0/32 (not half duplex), with -Device Name- GigabitEthernet0 (half duplex).

I have created a new pipeline and attached it to the all messages stream with the following rule attached. to the Stage 0 section of the pipeline

rule "Drop CDP Duplex Noise"
when 
    contains(to_string($message.msg), "duplex mismatch") 
then 
    drop_message();
end

Under the Message processor configuration, I have the default pipeline processor then the message filter chain. I did try reordering them but didn’t have any luck with that.

gsmith · August 12, 2022, 1:47am

Hello,

Have you tried.

contains(to_string($message.msg), "DUPLEX_MISMATCH")

By chance is that a custom field “message.msg”?

Have you seen this post?

daniel.lang · August 12, 2022, 2:06am

Hi,

Thanks for the response.

I have tried a number of different combinations and interestingly I have created another pipeline rule that actually works as intended

This rule drops the SpamAPTask messages from our WLC’s

rule “Drop SpamApTask”
when
contains(to_string($message.message), “spamApTask”)
then
drop_message();
end

But the CDP Mismatch error still doesn’t get dropped. I have updated the rule as per below but still doesn’t seem to be having the desired effect.

rule “Drop CDP Duplex Noise”
when
contains(to_string($message.message), “DUPLEX_MISMATCH”)
then
drop_message();
end

gsmith · August 12, 2022, 2:18am

I see, have you tried the debug() in the rule?

daniel.lang · August 12, 2022, 2:34am

Thanks for the tip around the debug function.

I wrapped the debug around the drop_message function and I get the following output in the log.

2022-08-12T12:33:13.065+10:00 INFO [Function] PIPELINE DEBUG: Passed value is NULL.
2022-08-12T12:33:13.066+10:00 INFO [Function] PIPELINE DEBUG: Passed value is NULL.
2022-08-12T12:33:13.360+10:00 INFO [Function] PIPELINE DEBUG: Passed value is NULL.
2022-08-12T12:33:14.066+10:00 INFO [Function] PIPELINE DEBUG: Passed value is NULL.
2022-08-12T12:33:15.076+10:00 INFO [Function] PIPELINE DEBUG: Passed value is NULL.
2022-08-12T12:33:15.874+10:00 INFO [Function] PIPELINE DEBUG: Passed value is NULL.
2022-08-12T12:33:16.743+10:00 INFO [Function] PIPELINE DEBUG: Passed value is NULL.

gsmith · August 12, 2022, 2:36am

I see, so its not even grabbing it.
Wonder if its because it looks like this %CDP-4-DUPLEX_MISMATCH

daniel.lang · August 12, 2022, 2:39am

I just tried updating the message with the full message value and I get the same result in the log file.

Would I need to escape out the %?

gsmith · August 12, 2022, 2:48am

I think so, and double escape it \\. Doesn’t hurt to try.

Been think about this, I’m wonder if maybe regex to grab that unique string then drop it. Just an idea, I haven’t done it yet.

EDIT: I don’t have time tonight to lab this out but if @tmacgbay is around he may have an idea. If not I’ll be able to help more tomorrow

tmacgbay · August 12, 2022, 3:51pm

I think you want $message.message here because you are checking to see if the entire message has an instance of "duplex mismatch"

rule "Drop CDP Duplex Noise"
when 
    contains(to_string($message.message), "duplex mismatch") 
then 
    drop_message();
end

daniel.lang · August 14, 2022, 11:28pm

Thanks for the reply, I have changed it to $message.message and still having issues dropping the messages.

tmacgbay · August 15, 2022, 3:30pm

Try:

rule "Drop CDP Duplex Noise"
when 
    contains(to_string($message.message), "duplex mismatch") 
then
 // use $ tail -f /var/log/graylog-server/server.log to watch for the results of the below debug message
 //
    debug("_*_*_* - Drop Message rule was hit."); 
    drop_message();
end

If the debug statement doesn’t appear in your server log then “duplex mismatch” is not being found in the message… check to make sure the pipeline is attached to the correct stream and if it is, are there other pipelines attached to the stream or other rules/stages that run before this one?

daniel.lang · August 21, 2022, 11:41pm

Hi All,

Just wanted to come back and say I had resolved the issue.

It appears for whatever reason the rule was just broken, deleting and recreating it seemed to of resolved the issue.

Thanks for all your assistance, its been much appreciated.

system · September 4, 2022, 11:41pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Pipeline Rule - Drop messages with field containing IP Graylog Central (peer support) pipeline-rules , debuggingpl	7	3339	March 26, 2021
Dropping messages using Pipelines Graylog Central (peer support) pipeline-rules , debuggingpl	4	7161	August 2, 2019
Filter messages depending on content Graylog Central (peer support) pipeline-rules , debuggingpl	7	6652	September 25, 2020
Pipeline Drop Message Not Working Graylog Central (peer support)	14	1335	February 1, 2023
Drop message from Pipeline not working Graylog Central (peer support)	4	1747	March 30, 2020

Unable to Drop syslog messages based on message contents

Related topics