50 lines
1.2 KiB
Nix
50 lines
1.2 KiB
Nix
# filters sslh messages
|
|
{
|
|
resource."graylog_pipeline_rule" = {
|
|
|
|
routeToSslhMessage = {
|
|
|
|
description = "route sslh messages to sslh stream (TF)";
|
|
source = ''
|
|
rule "route sslh message"
|
|
when
|
|
to_string($message.facility) == "sslh"
|
|
then
|
|
route_to_stream(id:"''${ graylog_stream.sslh.id }", remove_from_default: true);
|
|
end
|
|
'';
|
|
};
|
|
|
|
sslhJunk = {
|
|
source = ''
|
|
rule "mark and route sslh junk"
|
|
when
|
|
starts_with(to_string($message.message), "client socket closed")
|
|
then
|
|
drop_message();
|
|
//set_field("is_junk", true);
|
|
//route_to_stream(id:"''${graylog_stream.junk.id}", remove_from_default: true);
|
|
end
|
|
'';
|
|
description = "mark tinc noise as junk (TF)";
|
|
};
|
|
|
|
};
|
|
|
|
graylog.all_messages.rules = [ "route sslh message" ];
|
|
|
|
graylog.stream.sslh = {
|
|
index_set_id = "\${data.graylog_index_set.default.id}";
|
|
pipelines = [ "\${graylog_pipeline.processSslhMessage.id}" ];
|
|
};
|
|
|
|
graylog.pipeline.processSslhMessage = {
|
|
source = ''
|
|
stage 0 match all
|
|
rule "mark and route sslh junk";
|
|
'';
|
|
description = "process messages of the sslh stream(TF)";
|
|
};
|
|
|
|
}
|