joschi
commented
8 years ago @ovizii Please check the logs of your Graylog server for error messages and attach them to this issue.
Closed ovizii closed 8 years ago
joschi
commented
8 years ago @ovizii Please check the logs of your Graylog server for error messages and attach them to this issue.
ovizii
commented
8 years ago Thanks, would you mind telling me where graylog2 logs to?
joschi
commented
8 years ago @ovizii That depends on how you've installed Graylog. By default, the logs should be written to /var/log/graylog/.
ovizii
commented
8 years ago Found them. Triggered the issue, then copy pasted the relevant parts of the logs. Everything before this log was about 2-3 hours older log.txt .
kroepke
commented
8 years ago rule "drop headers cron job"
when
contains($message.message, "COMMAND=/var/www/bin/header.sh")
then
drop_message($message);
end@ovizii is that the rule you are using?
If so, you should leave out the $message in the call to drop_message. It's confusing, but $message is only used for accessing fields of the current message, not to refer to it as a whole.
We should probably change the behavior, allowing what you wrote in the rule, because it makes sense to expect it to work.
For now simply leave out the parameter and it should work as expected.
ovizii
commented
8 years ago Thanks for helping out but now I see an error in the rule, see attached screenshot please. The new rule I tried is:
rule "drop headers cron job"
when
contains($message.message, "COMMAND=/var/www/bin/header.sh")
then
drop_message();
end
kroepke
commented
8 years ago Whenever using $message.some_field you need to convert the field value to a specific data type, in your case using to_string($message.message).
While this is verbose, it is by design, to retain the runtime type safety of the system. This way no rule will accidentally produce a wrong type.
If you need to repeatedly read a value you can assign it to a variable in a rule action, too. Please see the docs for an example: http://docs.graylog.org/en/2.0/pages/pipelines/functions.html
ovizii
commented
8 years ago OK, I really suck at this but I think I "guesstimated" correctly :-) as I can see the rule being applied to my pipeline and the pipeline being connected to the default incoming stream.
Of course I could have gotten rid of these messages in the source system, but hey, I now know how pipelines work ;-)
I'm just wondering about the misleading error I got with my first try about the "cannot POST" as that lead me onto a completely wrong trail.
rule "drop headers cron job"
when
contains(to_string($message.message), "COMMAND=/var/www/bin/header.sh")
then
drop_message();
end
Not sure if this is an issue of the pipeline processor or me screwing up my nginx reverse proxy.
When I click save (while creating a rule) I get:
I had asked for help with a rule here: https://groups.google.com/forum/#!topic/graylog2/idD_hjywLJ0 and was advised to post it as a bug here just in case. My group thread about the proxy issue: https://groups.google.com/forum/#!topic/graylog2/Plxz6FY3kRo