Hi,
I am trying to execute drool rules using some of the fields which I have
created using extractors, but the drool rule fails to execute. I have
created a field named month which extracts the month name from log, Below
is the rule "Rewrite month" I am trying to execute. FYI the "Rewrite
localhost host" rule works just fine.
// The following header lines are automatically added by Graylog server.
//package org.graylog2.rules
//import org.graylog2.plugin.Message
//global org.slf4j.Logger log
rule "Rewrite source host"
when
m : Message( source == "xyz" )
then
m.addField("source", "abcd" );
log.info( "[Overwrite source rule fired] : " + m.toString() );
end
rule "Rewrite month"
when
m : Message( _month_ == "Jan" )
then
m.addField("_month_", "Feb" );
log.info( "[Overwrite month rule fired] : " + m.toString() );
end
Q1. Is it possible to use custom fields into drool rules.
Q2. If possible where can I find the docs which tells how to do it.
Q3. If a rule such as "Rewrite source host" mentioned above is successfully
executed, does the original log is stored into elasticsearch or the
modified logs is stored or are both logs stored?
Q4. Is it possible to have multiple .drl file or only one file will have
multiple rules?
Attaching the logs file "graylog-server.log"
Thanks in Advance!!
Anant Sawant.
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/864aeea5-36fe-4805-9dda-3426acb9426e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
2017-01-10 18:24:11,007 ERROR:
org.drools.compiler.kie.builder.impl.AbstractKieModule - Unable to build
KieBaseModel:defaultKieBase
Unable to Analyse Expression gl2_remote_ip == "172.16.0.78":
[Error: unable to resolve method using strict-mode:
org.graylog2.plugin.Message.gl2_remote_ip()]
[Near : {... gl2_remote_ip == "172.16.0.78" ....}]
^
[Line: 23, Column: 8] : [Rule name='Rewrite IP address']
2017-01-10 18:24:11,007 WARN : org.graylog2.rules.DroolsEngine - Unable to add
rules due to compilation errors.
org.graylog2.rules.RulesCompilationException: Message [id=1, level=ERROR,
path=r1.drl, line=23, column=0
text=Unable to Analyse Expression gl2_remote_ip == "172.16.0.78":
[Error: unable to resolve method using strict-mode:
org.graylog2.plugin.Message.gl2_remote_ip()]
[Near : {... gl2_remote_ip == "172.16.0.78" ....}]
^
[Line: 23, Column: 8]]
at org.graylog2.rules.DroolsEngine.createKJar(DroolsEngine.java:232)
~[graylog.jar:?]
at
org.graylog2.rules.DroolsEngine.createAndDeployJar(DroolsEngine.java:194)
~[graylog.jar:?]
at org.graylog2.rules.DroolsEngine.deployRules(DroolsEngine.java:169)
[graylog.jar:?]
at org.graylog2.rules.DroolsEngine.commitRules(DroolsEngine.java:147)
[graylog.jar:?]
at org.graylog2.rules.DroolsEngine.addRule(DroolsEngine.java:89)
[graylog.jar:?]
at
org.graylog2.rules.DroolsEngine.addRulesFromFile(DroolsEngine.java:102)
[graylog.jar:?]
at
org.graylog2.bindings.providers.RulesEngineProvider.<init>(RulesEngineProvider.java:44)
[graylog.jar:?]
at
org.graylog2.bindings.providers.RulesEngineProvider$$FastClassByGuice$$3947f391.newInstance(<generated>)
[graylog.jar:?]
at
com.google.inject.internal.cglib.reflect.$FastConstructor.newInstance(FastConstructor.java:40)
[graylog.jar:?]
at
com.google.inject.internal.DefaultConstructionProxyFactory$1.newInstance(DefaultConstructionProxyFactory.java:61)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:105)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
[graylog.jar:?]
at
com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
[graylog.jar:?]
at
com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
[graylog.jar:?]
at
com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145)
[graylog.jar:?]
at
com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41)
[graylog.jar:?]
at
com.google.inject.internal.BoundProviderFactory.get(BoundProviderFactory.java:61)
[graylog.jar:?]
at
com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38)
[graylog.jar:?]
at
com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
[graylog.jar:?]
at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:56)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012)
[graylog.jar:?]
at
com.google.inject.multibindings.Multibinder$RealMultibinder.get(Multibinder.java:375)
[graylog.jar:?]
at
com.google.inject.multibindings.Multibinder$RealMultibinder.get(Multibinder.java:258)
[graylog.jar:?]
at
com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:81)
[graylog.jar:?]
at
com.google.inject.internal.InternalFactoryToInitializableAdapter.provision(InternalFactoryToInitializableAdapter.java:53)
[graylog.jar:?]
at
com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:61)
[graylog.jar:?]
at
com.google.inject.internal.InternalFactoryToInitializableAdapter.get(InternalFactoryToInitializableAdapter.java:45)
[graylog.jar:?]
at
com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38)
[graylog.jar:?]
at
com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
[graylog.jar:?]
at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:56)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012)
[graylog.jar:?]
at
com.google.inject.multibindings.Multibinder$RealMultibinder.get(Multibinder.java:375)
[graylog.jar:?]
at
com.google.inject.multibindings.Multibinder$RealMultibinder.get(Multibinder.java:258)
[graylog.jar:?]
at
com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:81)
[graylog.jar:?]
at
com.google.inject.internal.InternalFactoryToInitializableAdapter.provision(InternalFactoryToInitializableAdapter.java:53)
[graylog.jar:?]
at
com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:61)
[graylog.jar:?]
at
com.google.inject.internal.InternalFactoryToInitializableAdapter.get(InternalFactoryToInitializableAdapter.java:45)
[graylog.jar:?]
at
com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38)
[graylog.jar:?]
at
com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
[graylog.jar:?]
at
com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38)
[graylog.jar:?]
at
com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
[graylog.jar:?]
at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:56)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012)
[graylog.jar:?]
at
org.graylog2.shared.buffers.ProcessBuffer.<init>(ProcessBuffer.java:91)
[graylog.jar:?]
at
org.graylog2.shared.buffers.ProcessBuffer$$FastClassByGuice$$ef94431e.newInstance(<generated>)
[graylog.jar:?]
at
com.google.inject.internal.cglib.reflect.$FastConstructor.newInstance(FastConstructor.java:40)
[graylog.jar:?]
at
com.google.inject.internal.DefaultConstructionProxyFactory$1.newInstance(DefaultConstructionProxyFactory.java:61)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:105)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
[graylog.jar:?]
at
com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
[graylog.jar:?]
at
com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
[graylog.jar:?]
at
com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145)
[graylog.jar:?]
at
com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41)
[graylog.jar:?]
at
com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38)
[graylog.jar:?]
at
com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
[graylog.jar:?]
at
com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38)
[graylog.jar:?]
at
com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
[graylog.jar:?]
at
com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
[graylog.jar:?]
at
com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
[graylog.jar:?]
at
com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145)
[graylog.jar:?]
at
com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41)
[graylog.jar:?]
at
com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38)
[graylog.jar:?]
at
com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
[graylog.jar:?]
at
com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
[graylog.jar:?]
at
com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
[graylog.jar:?]
at
com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145)
[graylog.jar:?]
at
com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41)
[graylog.jar:?]
at
com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38)
[graylog.jar:?]
at
com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
[graylog.jar:?]
at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:56)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012)
[graylog.jar:?]
at
com.google.inject.multibindings.Multibinder$RealMultibinder.get(Multibinder.java:375)
[graylog.jar:?]
at
com.google.inject.multibindings.Multibinder$RealMultibinder.get(Multibinder.java:258)
[graylog.jar:?]
at
com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:81)
[graylog.jar:?]
at
com.google.inject.internal.InternalFactoryToInitializableAdapter.provision(InternalFactoryToInitializableAdapter.java:53)
[graylog.jar:?]
at
com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:61)
[graylog.jar:?]
at
com.google.inject.internal.InternalFactoryToInitializableAdapter.get(InternalFactoryToInitializableAdapter.java:45)
[graylog.jar:?]
at
com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:38)
[graylog.jar:?]
at
com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:62)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:104)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
[graylog.jar:?]
at
com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
[graylog.jar:?]
at
com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
[graylog.jar:?]
at
com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145)
[graylog.jar:?]
at
com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41)
[graylog.jar:?]
at com.google.inject.internal.FactoryProxy.get(FactoryProxy.java:56)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl$2$1.call(InjectorImpl.java:1016)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl$2.get(InjectorImpl.java:1012)
[graylog.jar:?]
at
com.google.inject.multibindings.Multibinder$RealMultibinder.get(Multibinder.java:375)
[graylog.jar:?]
at
com.google.inject.multibindings.Multibinder$RealMultibinder.get(Multibinder.java:258)
[graylog.jar:?]
at
com.google.inject.internal.ProviderInternalFactory.provision(ProviderInternalFactory.java:81)
[graylog.jar:?]
at
com.google.inject.internal.InternalFactoryToInitializableAdapter.provision(InternalFactoryToInitializableAdapter.java:53)
[graylog.jar:?]
at
com.google.inject.internal.ProviderInternalFactory.circularGet(ProviderInternalFactory.java:61)
[graylog.jar:?]
at
com.google.inject.internal.InternalFactoryToInitializableAdapter.get(InternalFactoryToInitializableAdapter.java:45)
[graylog.jar:?]
at
com.google.inject.internal.SingleFieldInjector.inject(SingleFieldInjector.java:54)
[graylog.jar:?]
at
com.google.inject.internal.MembersInjectorImpl.injectMembers(MembersInjectorImpl.java:132)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:114)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:85)
[graylog.jar:?]
at
com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:267)
[graylog.jar:?]
at
com.google.inject.internal.BoundProviderFactory.get(BoundProviderFactory.java:61)
[graylog.jar:?]
at
com.google.inject.internal.ProviderToInternalFactoryAdapter$1.call(ProviderToInternalFactoryAdapter.java:46)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1103)
[graylog.jar:?]
at
com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
[graylog.jar:?]
at
com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:145)
[graylog.jar:?]
at
com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:41)
[graylog.jar:?]
at
com.google.inject.internal.InternalInjectorCreator$1.call(InternalInjectorCreator.java:205)
[graylog.jar:?]
at
com.google.inject.internal.InternalInjectorCreator$1.call(InternalInjectorCreator.java:199)
[graylog.jar:?]
at
com.google.inject.internal.InjectorImpl.callInContext(InjectorImpl.java:1092)
[graylog.jar:?]
at
com.google.inject.internal.InternalInjectorCreator.loadEagerSingletons(InternalInjectorCreator.java:199)
[graylog.jar:?]
at
com.google.inject.internal.InternalInjectorCreator.injectDynamically(InternalInjectorCreator.java:180)
[graylog.jar:?]
at
com.google.inject.internal.InternalInjectorCreator.build(InternalInjectorCreator.java:110)
[graylog.jar:?]
at com.google.inject.Guice.createInjector(Guice.java:96) [graylog.jar:?]
at
org.graylog2.shared.bindings.Hk2GuiceBridgeJitInjector.create(Hk2GuiceBridgeJitInjector.java:60)
[graylog.jar:?]
at
org.graylog2.shared.bindings.GuiceInjectorHolder.createInjector(GuiceInjectorHolder.java:32)
[graylog.jar:?]
at
org.graylog2.bootstrap.CmdLineTool.setupInjector(CmdLineTool.java:379)
[graylog.jar:?]
at org.graylog2.bootstrap.CmdLineTool.run(CmdLineTool.java:193)
[graylog.jar:?]
at org.graylog2.bootstrap.Main.main(Main.java:44) [graylog.jar:?]
2017-01-10 18:24:11,010 WARN :
org.graylog2.bindings.providers.RulesEngineProvider - Unable to load rules due
to load error: /etc/graylog/server/rules.drl
