# filters sslh messages
{
  resource."graylog_pipeline_rule" = {

    routeToSslhMessage = {

      description = "route sslh messages to sslh stream (TF)";
      source = ''
        rule "route sslh message"
        when
          to_string($message.facility) == "sslh"
        then
          route_to_stream(id:"''${ graylog_stream.sslh.id }", remove_from_default: true);
        end
      '';
    };

    sslhJunk = {
      source = ''
        rule "mark and route sslh junk"
        when
          starts_with(to_string($message.message), "client socket closed")
        then
          drop_message();
          //set_field("is_junk", true);
          //route_to_stream(id:"''${graylog_stream.junk.id}", remove_from_default: true);
        end
      '';
      description = "mark tinc noise as junk (TF)";
    };

  };

  graylog.all_messages.rules = [ "route sslh message" ];

  graylog.stream.sslh = {
    index_set_id = "\${data.graylog_index_set.default.id}";
    pipelines = [ "\${graylog_pipeline.processSslhMessage.id}" ];
  };

  graylog.pipeline.processSslhMessage = {
    source = ''
      stage 0 match all
        rule "mark and route sslh junk";
    '';
    description = "process messages of the sslh stream(TF)";
  };

}