# filters sshguard messages
{
  resource."graylog_pipeline_rule" = {

    routeToSshGuardMessage = {

      description = "route sshguard messages to sshguard stream (TF)";
      source = ''
        rule "route sshguard message"
        when
          to_string($message.facility) == "sshguard"
        then
          route_to_stream(id:"''${ graylog_stream.sshguard.id }", remove_from_default: true);
        end
      '';
    };

    extractAttack = {
      description = "extract sshguard attack information (TF)";
      source = ''
        rule "extract sshguard attack"
        when
          starts_with(to_string($message.message), "Attack from")
        then
          set_fields(grok(pattern:"Attack from \"%{IPV4:source_ip}\"", value: to_string($message.message), only_named_captures: true));
          set_field("is_thread", true);
          route_to_stream(id:"''${ graylog_stream.thread.id }");
        end
      '';
    };

  };

  graylog.all_messages.rules = [ "route sshguard message" ];

  graylog.stream.sshguard = {
    index_set_id = "\${data.graylog_index_set.default.id}";
    pipelines = [ "\${graylog_pipeline.processSshGuardMessage.id}" ];
  };

  graylog.pipeline.processSshGuardMessage = {
    source = ''
      stage 0 match all
        rule "extract sshguard attack";
    '';
    description = "process messages of the sshguard stream(TF)";
  };

}