Hi Ovidiu,
you probably want to use the contains function (
http://docs.graylog.org/en/2.0/pages/pipelines/functions.html#contains) to
check whether the string "COMMAND=/var/www/bin/header.sh" is contained in
the message field and then drop the message.
The specific rule could look like the following:
rule "drop headers cron job"
when
contains($message.message, "COMMAND=/var/www/bin/header.sh")
then
drop_message($message);
end
Cheers,
Jochen
On Tuesday, 3 May 2016 10:10:41 UTC+2, Ovidiu Pacuraru wrote:
>
> I've been reading up on pipelines to filter out noise from the incoming
> logs. For example I have a web app which logs its own refreshes constantly
> and is flooding me so I'd like to learn how to filter them out.
>
> The messages looks like this:
> message
> www-data : TTY=unknown ; PWD=/var/www ; USER=root ;
> COMMAND=/var/www/bin/header.sh network
>
> So I'd basically like to filter out any message containing
> "COMMAND=/var/www/bin/header.sh"
> in the message field. I've found a few functions for rules that look like
> they could be used but I am clueless how to put together a rule. Can
> anyone help out?
> drop_message(message: Message) This currently processed message will be
> removed from the processing pipeline after the rule finishes.
> has_field(field: string, [message: Message]) Checks whether the currently
> processed message contains the named field.
>
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/00adb8ea-6145-4ee9-ac9f-7d0f8f8a4e7f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
