37 lines
833 B
Nix
37 lines
833 B
Nix
|
# filters sshd messages
|
||
|
|
{
|
||
|
|
resource."graylog_pipeline_rule" = {
|
||
|
|
|
||
|
|
routeToSshdMessage = {
|
||
|
|
|
||
|
|
description = "route sshd messages to sshd stream (TF)";
|
||
|
|
source = ''
|
||
|
|
rule "route sshd message"
|
||
|
|
when
|
||
|
|
to_string($message.facility) == "sshd"
|
||
|
|
then
|
||
|
|
route_to_stream(id:"''${ graylog_stream.sshd.id }", remove_from_default: true);
|
||
|
|
end
|
||
|
|
'';
|
||
|
|
};
|
||
|
|
|
||
|
|
};
|
||
|
|
|
||
|
|
graylog.all_messages.rules = ["route sshd message"];
|
||
|
|
|
||
|
|
graylog.stream.sshd = {
|
||
|
|
index_set_id = "\${data.graylog_index_set.default.id}";
|
||
|
|
#pipelines = [ "\${graylog_pipeline.processSshdMessage.id}" ];
|
||
|
|
};
|
||
|
|
|
||
|
|
#graylog.pipeline.processSshdMessage = {
|
||
|
|
# source = ''
|
||
|
|
# stage 0 match all
|
||
|
|
# rule "mark and route sshd junk";
|
||
|
|
# '';
|
||
|
|
# description = "process messages of the sshd stream(TF)";
|
||
|
|
#};
|
||
|
|
|
||
|
|
|
||
|
|
}
|