nixos-config/terranix/graylog/config/sslh.nix

# filters sslh messages
{
  resource."graylog_pipeline_rule" = {

    routeToSslhMessage = {

      description = "route sslh messages to sslh stream (TF)";
      source = ''
        rule "route sslh message"
        when
          to_string($message.facility) == "sslh"
        then
          route_to_stream(id:"''${ graylog_stream.sslh.id }", remove_from_default: true);
        end
      '';
    };

    sslhJunk = {
      source = ''
        rule "mark and route sslh junk"
        when
          starts_with(to_string($message.message), "client socket closed")
        then
          drop_message();
          //set_field("is_junk", true);
          //route_to_stream(id:"''${graylog_stream.junk.id}", remove_from_default: true);
        end
      '';
      description = "mark tinc noise as junk (TF)";
    };

  };

  graylog.all_messages.rules = ["route sslh message"];

  graylog.stream.sslh = {
    index_set_id = "\${data.graylog_index_set.default.id}";
    pipelines = [ "\${graylog_pipeline.processSslhMessage.id}" ];
  };

  graylog.pipeline.processSslhMessage = {
    source = ''
      stage 0 match all
        rule "mark and route sslh junk";
    '';
    description = "process messages of the sslh stream(TF)";
  };


}
init 2019-10-24 02:20:38 +02:00			`# filters sslh messages`
			`{`
			`resource."graylog_pipeline_rule" = {`

			`routeToSslhMessage = {`

			`description = "route sslh messages to sslh stream (TF)";`
			`source = ''`
			`rule "route sslh message"`
			`when`
			`to_string($message.facility) == "sslh"`
			`then`
			`route_to_stream(id:"''${ graylog_stream.sslh.id }", remove_from_default: true);`
			`end`
			`'';`
			`};`

			`sslhJunk = {`
			`source = ''`
			`rule "mark and route sslh junk"`
			`when`
			`starts_with(to_string($message.message), "client socket closed")`
			`then`
			`drop_message();`
			`//set_field("is_junk", true);`
			`//route_to_stream(id:"''${graylog_stream.junk.id}", remove_from_default: true);`
			`end`
			`'';`
			`description = "mark tinc noise as junk (TF)";`
			`};`

			`};`

			`graylog.all_messages.rules = ["route sslh message"];`

			`graylog.stream.sslh = {`
			`index_set_id = "\${data.graylog_index_set.default.id}";`
			`pipelines = [ "\${graylog_pipeline.processSslhMessage.id}" ];`
			`};`

			`graylog.pipeline.processSslhMessage = {`
			`source = ''`
			`stage 0 match all`
			`rule "mark and route sslh junk";`
			`'';`
			`description = "process messages of the sslh stream(TF)";`
			`};`


			`}`