Hello Everyone!
I'm trying to setup a message tagging rule based on the EventID for PCI-DSS.
By now I tagging the messages with a rule as follows on Stage0:
*rule "Security"*
*when*
* has_field("Channel") && (contains(to_string($message.Channel),
"Security")) *
*then*
* set_field("tag", "Security");*
*end*
After this I would like to add another field - 'action' - based on the
EventID.
Just an Example:
4624 - "Successful Login"
4625 - "Failed Login"
4801 - 'Workstation Unlocked"
and another 75 event descriptions.
Is it possible to check the value of the EventID after the 'THEN' part of
the rule?
My plan would be:
*rule "action_tags"*
*when*
* (contains(to_string($message.tag), "Security"))*
*then*
* (check if EventID is 4624,*
* set_field("action", "Successful Login");*
* (check if EventID is 4625,*
* set_field("action", "Failed Login");*
* (check if EventID is 4800,*
* set_field("action", "Workstation Unlocked");*
*end*
So the question: is it possible to use conditional actions after the Then
part (like a CASE sequence)?
(I know I could put this even to the Stage0 rule above - just cannot figure
out how to use a condition after the Then)
*Second question: *ELSE
Is it possible somehow to have When/Then/Else sequence in one rule (do
something in case it is not true)?
Thank you!
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to graylog2+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/ff31ba81-f499-4efb-8733-cb2485e30f28%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
