Hi, The 2.0 GA release is imminent (including pipelines) which will make something like this trivial ...
-- Best Regards, Henrik Johansen On 27 April 2016 at 11:00, Alexander Mamchenkov <[email protected]> wrote: > Hi, > > As the amount of examples for rule files in graylog is pretty limited, I > was wondering on the best way > to have some kind of a helper that would read some data from external file > (let's say CSV) and then > allow filtering messages based on this data. > > As a basic example, I want to filter out windows event logs based on > event_id. In current implementation > I have the following rule: > > --------------8<----------------------- > rule "Blacklist windows event logs" > when > m: Message( getField("event_id") matches "^(1111|468(8|9)|4634|4648)$") > then > m.setFilterOut(true); > end > -------------->8----------------------- > > Although the above works fine, there are few problems with it: > - There is no way to dynamically add more ids to filter out > - I need to restart graylog server each time a modify the rule > > So what I want to have is a list of event IDs that I want to filter out > somewhere in the file > and then read it in and use to filter messages. > > One workaround that I can do now is adjust the "when" part of the rule to > just check that > the "event_id" field exists and then in "then" part use Java to read the > file and decide, > but this brings some concerns: > > As I understand, the "then" part is called each time a message matches the > "when" condition, > so if I implement file lookup - it will be done for each message passing > the rule and I bet > it is a bit excessive on system resources. > > If I have more similar rules, the code will probably get messy. > > I know that pipelines are coming one day with graylog 2, but until that > time I would imagine > the following solution: > > 1. Create some helper class that will have methods to do evaluation > 2. Import that class in the rules file > 3. Create an instance of the class when rule file is loaded and make sure > it reads the input file with event_ids once (or do periodic refresh based > on last read time) > 4. Use the instance of the above helper class in the rule conditions (or > actions) to do the job > > I assume that all of the above is possible, but since there are not that > many examples around, > have no proper starting to implement the idea. > > If anyone already have something similar, I would really appreciate if you > can share it. > > -- > Best Regards, > Alexnader Mamchenkov > > -- > You received this message because you are subscribed to the Google Groups > "Graylog Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/graylog2/329817e9-504e-4633-97e5-c9f40a9c97dc%40googlegroups.com > <https://groups.google.com/d/msgid/graylog2/329817e9-504e-4633-97e5-c9f40a9c97dc%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/CADTEGRPNBb96Qoi1w49FawrfSqOi1%3DB%2B82rsmCv3TxP-oZKZNQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
