# filters kernel messages
{
  resource."graylog_pipeline_rule" = {

    routeToKernelMessage = {

      description = "route kernel messages to kernel stream (TF)";
      source = ''
        rule "route kernel message"
        when
          to_string($message.facility) == "kernel"
        then
          route_to_stream(id:"''${ graylog_stream.kernel.id }", remove_from_default: true);
        end
      '';
    };

    extractFirewallDeny = {
      description = "extract information form a firewall deny (TF)";
      source = ''
        rule "extract firewall deny"
        when
          starts_with(to_string($message.message), "refused connection:")
        then
          set_fields(grok("SRC=%{IP:source_ip} .* DPT=%{NUMBER:destination_port}", to_string($message.message)));
          set_field("is_thread", true);
          route_to_stream(id:"''${ graylog_stream.thread.id }");
        end
      '';
    };

  };

  graylog.all_messages.rules = [ "route kernel message" ];

  graylog.stream.kernel = {
    index_set_id = "\${data.graylog_index_set.default.id}";
    pipelines = [ "\${graylog_pipeline.processKernelMessage.id}" ];
  };

  graylog.pipeline.processKernelMessage = {
    source = ''
      stage 0 match all
        rule "extract firewall deny";
    '';
    description = "process messages of the kernel stream(TF)";
  };

}