I know we can reference $message in a rule but is it possible to use full_message instead, the reason being that after stripping the fields in a Windows log message all what is left is a small header, so rules are not able to correctly be evaluated.
the rule I’m trying is:
rule "Drop"
when
true
then
drop_message();
end
and it is not able to catch anything from a full stream that I want all of its messages dropped.
@Alper ,
Thanks for your question! Our community members will be able to help you with responses from their experience in Graylog.
I’ll start the responses with my take on your issue. I believe you can write a rule that uses the full_message instead of referencing a specific field. Here’s a conceptual example:
rule "Drop full message"
when
true
then
drop_message(to_string(to_json(full_message)));
end
This rule will drop the full message stream, regardless of its contents. The to_string and to_json functions will convert the message to a string, which is required by the drop_message function.
Note that this rule will drop all events in the message stream, so be careful when using it. If you only want to drop certain events based on specific conditions, so you may want to modify the when clause to specify those conditions. You don’t mention the specific Graylog version you’re using, so please check the appropriate documentation for your product.
So $message alone means the whole message, in your example you would reference full_message with $message.full_message or just replace anything after the dot with the field name you are wanting to target.
Its done this way because you can technically be working on multiple copies of messages at once, but you don’t need to go down that rabbit hole right now