Hey guys, I'm looking for help here as a last resort. Can't find a solution..
I want to drop events from Win firewall log
the line is:
2022-12-02 08:53:10 ALLOW TCP 127.0.0.1 127.0.0.1 50740 389 0 - 0 0 0 - - - SEND
I don't want to send every line which contains 127.0.0.1 127.0.0.1
So I tried literally tenths of regex combinations and nothing worked. All event's still come threw to my Graylog server.
processors: - drop_event: when: regexp: message: '(127\.0\.0\.1).(127\.0\.0\.1)'
processors: - drop_event: when: regexp: message: '\s\b(127\.0\.0\.1)\b\s\b(127\.0\.0\.1)\b\s'
Is there an obvious mistake? Please help