Alert agreggation with content

alias · December 6, 2018, 8:23am

Hi,

I want to configure an alert based on agreggation message and content condition.

Log format:

%source% %source_ip% %message%

Example logs:

<sourceA> <source_ip1> <message1>
<sourceA> <source_ip2> <message1>
<sourceB> <source_ip1> <message1>
<sourceC> <source_ip1> <message1>
<sourceF> <source_ip1> <message3>

Stream “test” rules: (OK)

if message1 match, index in this stream

Now I want to create an alert based on “message count alert condition” with “search query” option (Graylog 2.5):

Alert “Alert_streamTest” condition wanted:

If the log trigger the 5 entries Threshold in 1 minute Time Range with the same source_ip value field, create alert.

Is it possible with search query to check the value on field “source_ip” to match if the value is the same ?

If is not possible with this solution, is it possible with graylog to create this type of alert with other method ?

Thanks !!

megan201296 · December 6, 2018, 4:52pm

Maybe take a look at this alert plugin and see if it fulfills your use case: https://github.com/airbus-cyber/graylog-plugin-aggregation-count

alias · December 6, 2018, 6:13pm

Thanks, I check this
But if others have an solution …

system · December 20, 2018, 6:13pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
To make alert based on frequeny of messages Graylog Central (peer support)	7	545	July 1, 2021
Alert Condition Question Graylog Central (peer support)	1	302	November 28, 2018
Send alert based on message content Graylog Central (peer support)	3	3039	October 10, 2017
Trigger alert if logs stop? Graylog Central (peer support)	7	1140	June 27, 2019
Aggregation Count Alert Condition Plug-Ins plug-in	1	1444	August 25, 2022

Alert agreggation with content

Related Topics