Blacklisting

If you have messages coming into Graylog that should be discarded before being written to Elasticsearch or forwarded to another system you can use Drools rules to perform custom filtering.

The rule file location is defined in the Graylog configuration file:

# Drools Rule File (Use to rewrite incoming log messages)
rules_file = /etc/graylog.d/rules/graylog.drl

The rules file is located on the file system with a .drl file extension. The rules file can contain multiple rules, queries and functions, as well as some resource declarations like imports, globals, and attributes that are assigned and used by your rules and queries.

For more information on the DRL rules syntax please read the Drools User Guide.

How to

The general idea is simple: Any Message marked with setFilterOut(true) will be discarded when processed in the Graylog filter chain. You can either write and load your own filter plugin that can execute any Java code to mark messages or just use the Drools rules. The following example shows how to do this.

Based on regular expressions

Put this into your rules_file:

import org.graylog2.plugin.Message
import java.util.regex.Matcher
import java.util.regex.Pattern

rule "Blacklist all messages that start with 'firewall'"
  when
      m : Message( message matches "^firewall.*" )
  then
      System.out.println("DEBUG: Blacklisting message."); // Don't do this in production.
      m.setFilterOut(true);
end

This rule will blacklist any message that starts with the string “firewall” (matches "^firewall.*").