Aggregation Count Alert Condition
The alert condition triggers whenever the stream received more or less than X messages matching the same values of some message fields and with distinct values of other message fields in the last Y minutes.
Perfect for example to be alerted when there are brute-force attempts on your platform. Create a stream that catches every authentification failure and be alerted when that stream exceeds a given threshold per user.
Also perfect for example to be alerted when there are network port scans on your platform. Create a stream that catches your network traffic and be alerted when that stream exceeds a given threshold per source and per destination and with distinct values of port.
Please also take note that only a single alert is raised for this condition during the alerting interval, although multiple messages containing different values for the message fields may have been received since the last alert.
Example of raised alert:
|Plugin Version||Graylog Version|
Download the plugin and place the
.jar file in your Graylog plugin directory. The plugin directory is the
plugins/ folder relative from your
graylog-server directory by default and can be configured in your
graylog-server and you are done.
First you have to select the alert type Aggregation Count Alert Condition
Then, you can configure the Grouping Fields and the Distinction Fields to count messages respectively with the same values and with distinct values.
Optionally you can add a Comment about the configuration of the condition.
You can also set all the common parameters : Threshold Type , Threshold , Search within the last , Execute search every and Search Query .
This project is using Maven 3 and requires Java 8 or higher.
- Clone this repository.
mvn packageto build a JAR file.
- Optional: Run
mvn rpm:rpmto create a DEB and RPM package respectively.
- Copy generated JAR file in target directory to your Graylog plugin directory.
- Restart the Graylog.
This plugin is released under version 1 of the Server Side Public License (SSPL).