Hello Everyone!
I'm trying to setup a message tagging rule based on the EventID for PCI-DSS.
By now I tagging the messages with a rule as follows on Stage0:
*rule "Security"*
*when*
* has_field("Channel") && (contains(to_string($message.Channel),
"Security")) *
*then*
* set_field("tag", "Security");*
*end*
After this I would like to add another field - 'action' - based on the
EventID.
Just an Example:
4624 - "Successful Login"
4625 - "Failed Login"
4801 - 'Workstation Unlocked"
and another 75 event descriptions.
Is it possible to check the value of the EventID after the 'THEN' part of
the rule?
My plan would be:
*rule "action_tags"*
*when*
* (contains(to_string($message.tag), "Security"))*
*then*
* (check if EventID is 4624,*
* set_field("action", "Successful Login");*
* (check if EventID is 4625,*
* set_field("action", "Failed Login");*
* (check if EventID is 4800,*
* set_field("action", "Workstation Unlocked");*
*end*
So the question: is it possible to use conditional actions after the Then
part (like a CASE sequence)?
(I know I could put this even to the Stage0 rule above - just cannot figure
out how to use a condition after the Then)
*Second question: *ELSE
Is it possible somehow to have When/Then/Else sequence in one rule (do
something in case it is not true)?
Thank you!
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/ff31ba81-f499-4efb-8733-cb2485e30f28%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
