Hi Ovidiu,
you probably want to use the contains function (
http://docs.graylog.org/en/2.0/pages/pipelines/functions.html#contains) to
check whether the string "COMMAND=/var/www/bin/header.sh" is contained in
the message field and then drop the message.
The specific rule could look like the following:
rule "drop headers cron job"
when
contains($message.message, "COMMAND=/var/www/bin/header.sh")
then
drop_message($message);
end
Cheers,
Jochen
On Tuesday, 3 May 2016 10:10:41 UTC+2, Ovidiu Pacuraru wrote:
>
> I've been reading up on pipelines to filter out noise from the incoming
> logs. For example I have a web app which logs its own refreshes constantly
> and is flooding me so I'd like to learn how to filter them out.
>
> The messages looks like this:
> message
> www-data : TTY=unknown ; PWD=/var/www ; USER=root ;
> COMMAND=/var/www/bin/header.sh network
>
> So I'd basically like to filter out any message containing
> "COMMAND=/var/www/bin/header.sh"
> in the message field. I've found a few functions for rules that look like
> they could be used but I am clueless how to put together a rule. Can
> anyone help out?
> drop_message(message: Message) This currently processed message will be
> removed from the processing pipeline after the rule finishes.
> has_field(field: string, [message: Message]) Checks whether the currently
> processed message contains the named field.
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/00adb8ea-6145-4ee9-ac9f-7d0f8f8a4e7f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
