airbus-cyber / graylog-plugin-alert-wizard

Alert Wizard plugin for Graylog to manage the alert rules
Other
46 stars 7 forks source link

Pipelines created with new rule #19

Closed Sinagot closed 4 years ago

Sinagot commented 4 years ago

Hi,

When I create a new rule with the Wizard (version 3.1.0) (ex : MyWizardRule), a new Pipeline is created with the following rule

rule "function MyWizardRule" when then route_to_stream("MyWizardRule", "5e763f1293f7b802695ff2c9"); end

Is it a normal behaviour ? Thes pipelines are not matching any messages, so can I delete them ?

tomasnk commented 4 years ago

Hi, Yes it's normal behaviour, when a new rule with a list is created, a pipeline is automaticly create to match the list condition. So normaly all the messages matching the list condition have to be route to the stream. If the rule does not have list, no pipeline is created. But if you manualy delete the pipeline, the list condition will not be test anymore.

Sinagot commented 4 years ago

Hi, The point is that a new pipeline is created when I set a new rule, even when the rule doesn't use lists. In my first message, the pipeline rule I gave as example has been created for a rule which doesn't use list. I think this is a bug and not a feature ;)