Hi,
As the amount of examples for rule files in graylog is pretty limited, I
was wondering on the best way
to have some kind of a helper that would read some data from external file
(let's say CSV) and then
allow filtering messages based on this data.
As a basic example, I want to filter out windows event logs based on
event_id. In current implementation
I have the following rule:
--------------8<-----------------------
rule "Blacklist windows event logs"
when
m: Message( getField("event_id") matches "^(1111|468(8|9)|4634|4648)$")
then
m.setFilterOut(true);
end
-------------->8-----------------------
Although the above works fine, there are few problems with it:
- There is no way to dynamically add more ids to filter out
- I need to restart graylog server each time a modify the rule
So what I want to have is a list of event IDs that I want to filter out
somewhere in the file
and then read it in and use to filter messages.
One workaround that I can do now is adjust the "when" part of the rule to
just check that
the "event_id" field exists and then in "then" part use Java to read the
file and decide,
but this brings some concerns:
As I understand, the "then" part is called each time a message matches the
"when" condition,
so if I implement file lookup - it will be done for each message passing
the rule and I bet
it is a bit excessive on system resources.
If I have more similar rules, the code will probably get messy.
I know that pipelines are coming one day with graylog 2, but until that
time I would imagine
the following solution:
1. Create some helper class that will have methods to do evaluation
2. Import that class in the rules file
3. Create an instance of the class when rule file is loaded and make sure
it reads the input file with event_ids once (or do periodic refresh based
on last read time)
4. Use the instance of the above helper class in the rule conditions (or
actions) to do the job
I assume that all of the above is possible, but since there are not that
many examples around,
have no proper starting to implement the idea.
If anyone already have something similar, I would really appreciate if you
can share it.
--
Best Regards,
Alexnader Mamchenkov
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/329817e9-504e-4633-97e5-c9f40a9c97dc%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
