[graylog2] Re: debugging pipelines is... difficult

Wed, 06 Jul 2016 02:51:18 -0700 

Hi Jason,

there's something coming up in Graylog 2.1.0 which will vastly simplify 
testing pipeline rules.

Feel free to give the alpha and beta releases a try!

Cheers,
Jochen

On Wednesday, 6 July 2016 05:42:43 UTC+2, Jason Haar wrote:
>
> Hi there
>
> First I want to say how wonderful the "extractor" webpage is: it's so easy 
> to create AND TEST extractors...
>
> ...unfortunately the new pipelines (which I want to use as they are the 
> official future) don't have the same testing capacity. Can someone tell me 
> what's wrong with this rule: it should extract pairs of ipv4 addresses out 
> of any message. The pipeline shows all messages flowing through it, but 
> none "hit" this rule. Conversely, my existing extractor rule that does the 
> same thing (but with different fieldnames) is triggering just fine - so 
> this rule must be broken - but I lack the background in whatever 
> Java-nightmare this is to debug it ;-)
>
>  rule "function ExtractIPv4Pairs"
> when
>     
> regex("[^0-9a-zA-Z]([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)[^0-9a-zA-Z].*[^0-9a-zA-Z]([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)[^0-9a-zA-Z]",to_string($message.message)).matches
> then
>     let pair = 
>  
> regex("[^0-9a-zA-Z]([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)[^0-9a-zA-Z].*[^0-9a-zA-Z]([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)[^0-9a-zA-Z]",to_string($message.message),["src","dst"]);
>     set_field("pipeSrcIPv4",to_ip(pair.src));
>     set_field("pipeDstIPv4",to_ip(pair.dst));
> end
>
> Thanks
>
> PS: it would REALLY help if there were a bunch of sample rules that 
> demonstrated the fundamentals. The one example really doesn't demonstrate 
> enough    
>
> -- 
> Cheers
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +1 408 481 8171
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
>

-- 
You received this message because you are subscribed to the Google Groups 
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/graylog2/21bcd348-3d5f-4a67-a962-7d371062dcb4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to