Aggregation Count Alert Condition

Aggregation Count Alert Condition


Continuous Integration License GitHub Release

Alert condition plugin for Graylog to perform aggregation

The alert condition triggers whenever the stream received more or less than X messages matching the same values of some message fields and with distinct values of other message fields in the last Y minutes.

Perfect for example to be alerted when there are brute-force attempts on your platform. Create a stream that catches every authentification failure and be alerted when that stream exceeds a given threshold per user.

Also perfect for example to be alerted when there are network port scans on your platform. Create a stream that catches your network traffic and be alerted when that stream exceeds a given threshold per source and per destination and with distinct values of port.

Please also take note that only a single alert is raised for this condition during the alerting interval, although multiple messages containing different values for the message fields may have been received since the last alert.

Example of raised alert:

Version Compatibility

Plugin Version Graylog Version
4.1.x 4.2.x
4.0.x 4.1.x
2.2.x 3.3.x
2.1.x 3.2.x
2.0.x 3.2.x
1.2.x 3.0.x
1.1.x 2.5.x
1.0.x 2.4.x


Download the plugin and place the .jar file in your Graylog plugin directory. The plugin directory is the plugins/ folder relative from your graylog-server directory by default and can be configured in your graylog.conf file.

Restart graylog-server and you are done.


First you have to select the alert type Aggregation Count Alert Condition

Then, you can configure the Grouping Fields and the Distinction Fields to count messages respectively with the same values and with distinct values.

Optionally you can add a Comment about the configuration of the condition.

You can also set all the common parameters : Threshold Type , Threshold , Search within the last , Execute search every and Search Query .


This project is using Maven 3 and requires Java 8 or higher.

  • Clone this repository.
  • Run mvn package to build a JAR file.
  • Optional: Run mvn jdeb:jdeb and mvn rpm:rpm to create a DEB and RPM package respectively.
  • Copy generated JAR file in target directory to your Graylog plugin directory.
  • Restart the Graylog.


This plugin is released under version 1 of the Server Side Public License (SSPL).

This plugin is deprecated and won’t be maintained anymore.
Graylog built-in features now allow to use aggregation in an Event Definition.