Graylog 使用drools功能過濾不須要的日誌

使用graylog 簡單過濾graylog中不須要的日誌。 詳細參考：
    http://docs.graylog.org/en/latest/pages/blacklisting.html
    http://docs.graylog.org/en/latest/pages/drools.html

    
1. 修改graylog 配置文件，定義rule存放路徑
# Drools Rule File (Use to rewrite incoming log messages)
rules_file = /etc/graylog.d/rules/graylog.drl

2. 編輯rule 文件：

如下範例，是過濾掉event id 爲515六、4658的windows 日誌。

import org.graylog2.plugin.Message
import java.util.regex.Matcher
import java.util.regex.Pattern

rule "windows eventlog delete - 5156"
    when
        m : Message( getField("winlogbeat_event_id") == "5156" )
    then
        m.setFilterOut(true);
        log.info("[Eventlog that should be discarded before being written to Elasticsearch] rule fired: {}", m);
      
end

rule "windows eventlog delete - 4658"
    when
        m : Message( getField("winlogbeat_event_id") == "4658" )
    then
        m.setFilterOut(true);
        log.info("[Eventlog that should be discarded before being written to Elasticsearch] rule fired: {}", m);
      
end

3. 從新啓動graylog
每次更新rule文件後，都要重啓graylog， 不太方便。 暫沒找其餘方法

4. 如下爲被過濾的日誌，在graylog控制檯中顯示的內容：

2017-08-16 01:18:05,474 INFO : org.graylog2.rules.DroolsEngine - [Eventlog that should be discarded before being written to Elasticsearch] rule fired: source: SCQDC02 | message: The Windows Filtering Platform has permitted a connection.Application Information:Process ID:640Application Name:\device\harddiskvolume1\windows\system32\lsass.exeNetwork Information:Direction:InboundSource Address:10.245.254 (...) { winlogbeat_fields_gl2_source_collector: ea58a411-4256-4e04-9b75-23a823860eed | winlogbeat_event_data_SourceAddress: 10.245.254.168 | winlogbeat_record_number: 126162387991 | winlogbeat_event_data_DestPort: 4732 | winlogbeat_version: 1 | winlogbeat_event_data_SourcePort: 88 | collector_node_id: graylog-collector-sidecar | gl2_remote_ip: 10.245.254.168 | gl2_remote_port: 49967 | winlogbeat_event_data_Direction: %%14592 | winlogbeat_level: Information | winlogbeat_tags: [windows, ad, 10.245.254.168] | type: wineventlog | gl2_source_input: 597ae7862ab79c0001b9f507 | winlogbeat_fields_collector_node_id: graylog-collector-sidecar | winlogbeat_provider_guid: {54849625-5478-4994-A5BA-3E3B0328C30D} | winlogbeat_process_id: 4 | winlogbeat_opcode: Info | winlogbeat_task: Filtering Platform Connection | winlogbeat_event_data_DestAddress: 172.16.7.40 | winlogbeat_source_name: Microsoft-Windows-Security-Auditing | winlogbeat_event_data_FilterRTID: 0 | gl2_source_node: c49b1d0f-b4be-4024-9eb0-7bb874735836 | winlogbeat_keywords: [Audit Success] | timestamp: 2017-08-16T01:03:46.628Z | winlogbeat_log_name: Security | gl2_source_collector: ea58a411-4256-4e04-9b75-23a823860eed | winlogbeat_thread_id: 92 | winlogbeat_type: wineventlog | winlogbeat_event_data_ProcessID: 640 | winlogbeat_event_data_Protocol: 6 | tags: [windows, ad, 10.245.254.168] | winlogbeat_event_data_Application: \device\harddiskvolume1\windows\system32\lsass.exe | winlogbeat_event_data_LayerName: %%14610 | winlogbeat_event_data_RemoteUserID: S-1-0-0 | winlogbeat_event_data_RemoteMachineID: S-1-0-0 | winlogbeat_event_id: 5156 | name: SCQDC02 | _id: c17b5823-8220-11e7-af8b-0242ac1c0004 | facility: winlogbeat | winlogbeat_computer_name: SCQDC02.ispcsa.com | winlogbeat_event_data_LayerRTID: 44 }