Closed ovizii closed 8 years ago
@ovizii Please check the logs of your Graylog server for error messages and attach them to this issue.
Thanks, would you mind telling me where graylog2 logs to?
@ovizii That depends on how you've installed Graylog. By default, the logs should be written to /var/log/graylog/
.
Found them. Triggered the issue, then copy pasted the relevant parts of the logs. Everything before this log was about 2-3 hours older log.txt .
rule "drop headers cron job"
when
contains($message.message, "COMMAND=/var/www/bin/header.sh")
then
drop_message($message);
end
@ovizii is that the rule you are using?
If so, you should leave out the $message
in the call to drop_message
. It's confusing, but $message
is only used for accessing fields of the current message, not to refer to it as a whole.
We should probably change the behavior, allowing what you wrote in the rule, because it makes sense to expect it to work.
For now simply leave out the parameter and it should work as expected.
Thanks for helping out but now I see an error in the rule, see attached screenshot please. The new rule I tried is:
rule "drop headers cron job"
when
contains($message.message, "COMMAND=/var/www/bin/header.sh")
then
drop_message();
end
Whenever using $message.some_field
you need to convert the field value to a specific data type, in your case using to_string($message.message)
.
While this is verbose, it is by design, to retain the runtime type safety of the system. This way no rule will accidentally produce a wrong type.
If you need to repeatedly read a value you can assign it to a variable in a rule action, too. Please see the docs for an example: http://docs.graylog.org/en/2.0/pages/pipelines/functions.html
OK, I really suck at this but I think I "guesstimated" correctly :-) as I can see the rule being applied to my pipeline and the pipeline being connected to the default incoming stream.
Of course I could have gotten rid of these messages in the source system, but hey, I now know how pipelines work ;-)
I'm just wondering about the misleading error I got with my first try about the "cannot POST" as that lead me onto a completely wrong trail.
rule "drop headers cron job"
when
contains(to_string($message.message), "COMMAND=/var/www/bin/header.sh")
then
drop_message();
end
Not sure if this is an issue of the pipeline processor or me screwing up my nginx reverse proxy.
When I click save (while creating a rule) I get:
I had asked for help with a rule here: https://groups.google.com/forum/#!topic/graylog2/idD_hjywLJ0 and was advised to post it as a bug here just in case. My group thread about the proxy issue: https://groups.google.com/forum/#!topic/graylog2/Plxz6FY3kRo