Hello Everyone! I'm trying to setup a message tagging rule based on the EventID for PCI-DSS. By now I tagging the messages with a rule as follows on Stage0: *rule "Security"* *when* * has_field("Channel") && (contains(to_string($message.Channel), "Security")) * *then* * set_field("tag", "Security");* *end*
After this I would like to add another field - 'action' - based on the EventID. Just an Example: 4624 - "Successful Login" 4625 - "Failed Login" 4801 - 'Workstation Unlocked" and another 75 event descriptions. Is it possible to check the value of the EventID after the 'THEN' part of the rule? My plan would be: *rule "action_tags"* *when* * (contains(to_string($message.tag), "Security"))* *then* * (check if EventID is 4624,* * set_field("action", "Successful Login");* * (check if EventID is 4625,* * set_field("action", "Failed Login");* * (check if EventID is 4800,* * set_field("action", "Workstation Unlocked");* *end* So the question: is it possible to use conditional actions after the Then part (like a CASE sequence)? (I know I could put this even to the Stage0 rule above - just cannot figure out how to use a condition after the Then) *Second question: *ELSE Is it possible somehow to have When/Then/Else sequence in one rule (do something in case it is not true)? Thank you! -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/ff31ba81-f499-4efb-8733-cb2485e30f28%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.