Running server side rules that drop/enrich messages is quite simple:
- edit
/opt/graylog/conf/graylog.conf by adding the following line rules_file = /opt/graylog/conf/rules.drl (there is special empty section starting with the comment # Drools Rule File (Use to rewrite incoming log messages)
- add
/opt/graylog/conf/rules.drl file with the appropriate content
- restart graylog (
sudo graylog-ctl start, etc.)
Sample rules file
import org.graylog2.plugin.Message
import java.util.regex.Matcher
import java.util.regex.Pattern
rule "WildFly10"
when
m : Message( getField("source_id") == "WildFly10" )
then
Matcher matcher = Pattern.compile("^\\d{4}-\\d{2}-\\d{2}\\s\\d{2}:\\d{2}:\\d{2},\\d{3}\\s(\\w+)").matcher(m.getMessage());
if (matcher.find()) {
m.addField("event-level", matcher.group(1));
}
end
UnVubmluZyBzZXJ2ZXIgc2lkZSBydWxlcyB0aGF0IGRyb3AvZW5yaWNoIG1lc3NhZ2VzIGlzIHF1aXRlIHNpbXBsZToNCg0KLSBlZGl0IGAvb3B0L2dyYXlsb2cvY29uZi9ncmF5bG9nLmNvbmZgIGJ5IGFkZGluZyB0aGUgZm9sbG93aW5nIGxpbmUgYHJ1bGVzX2ZpbGUgPSAvb3B0L2dyYXlsb2cvY29uZi9ydWxlcy5kcmxgICh0aGVyZSBpcyBzcGVjaWFsIGVtcHR5IHNlY3Rpb24gc3RhcnRpbmcgd2l0aCB0aGUgY29tbWVudCBgIyBEcm9vbHMgUnVsZSBGaWxlIChVc2UgdG8gcmV3cml0ZSBpbmNvbWluZyBsb2cgbWVzc2FnZXMpYA0KLSBhZGQgYC9vcHQvZ3JheWxvZy9jb25mL3J1bGVzLmRybGAgZmlsZSB3aXRoIHRoZSBhcHByb3ByaWF0ZSBjb250ZW50DQotIHJlc3RhcnQgZ3JheWxvZyAoYHN1ZG8gZ3JheWxvZy1jdGwgc3RhcnRgLCBldGMuKQ0KDQpTYW1wbGUgcnVsZXMgZmlsZQ0KYGBgDQppbXBvcnQgb3JnLmdyYXlsb2cyLnBsdWdpbi5NZXNzYWdlDQppbXBvcnQgamF2YS51dGlsLnJlZ2V4Lk1hdGNoZXINCmltcG9ydCBqYXZhLnV0aWwucmVnZXguUGF0dGVybg0KDQpydWxlICJXaWxkRmx5MTAiDQogIHdoZW4NCiAgICAgIG0gOiBNZXNzYWdlKCBnZXRGaWVsZCgic291cmNlX2lkIikgPT0gIldpbGRGbHkxMCIgKQ0KICB0aGVuDQogICAgICBNYXRjaGVyIG1hdGNoZXIgPSBQYXR0ZXJuLmNvbXBpbGUoIl5cXGR7NH0tXFxkezJ9LVxcZHsyfVxcc1xcZHsyfTpcXGR7Mn06XFxkezJ9LFxcZHszfVxccyhcXHcrKSIpLm1hdGNoZXIobS5nZXRNZXNzYWdlKCkpOw0KICAgICAgaWYgKG1hdGNoZXIuZmluZCgpKSB7DQogICAgICAgICBtLmFkZEZpZWxkKCJldmVudC1sZXZlbCIsIG1hdGNoZXIuZ3JvdXAoMSkpOw0KICAgICAgfQ0KZW5kDQpgYGANCg==
No comments :
Post a Comment