Alert condition 0 messages in 60 minutes is triggering when there are messages

Graylog Central (peer support)
1

Hi,

I have an alert setup with the following condition: Configuration: Alert is triggered when there is less than one message in the last 60 minutes. Grace period: 60 minutes. Including last message in alert notification. Configured to repeat notifications.

This is listening to a stream I have setup. I want the alert to trigger when there are 0 messages in the stream within 60 minutes.

The alert is triggering and stating: Stream had 0 messages in the last 60 minutes with trigger condition less than 1 messages. (Current grace time: 60 minutes).

But when I look in the stream, there have been messages in that time so I’m not sure why the alert was triggered.

combine_images
combine_images2000×1200 304 KB

Does anyone have any ideas, maybe I’m doing something wrong?

I am using graylog open, version 2.4.3
Documentation version: Welcome to the Graylog documentation — Graylog 2.4.6 documentation

Thanks in advance!

2

Hello && welcome

I might be able to help.
To help you further could we see how you configured you stream and your alert setup?

3

Hi,

Here’s the setup. The top part of the image is the stream config, the bottom bit is the alert config (sorry I’m only allowed to upload one image :confused: )

combine_images (1)
combine_images (1)1103×1302 127 KB

Let me know if you need anymore info.

Thanks

4

as I see in your screenshot, there is no “Aggregation of results” in your graylog version 2.4.3,I used this version before.
maybe you need upgrade to graylog 3 or 4

image
image1884×723 58.3 KB

5

Unfortunately I’m not sure if we’re in a position to update our graylog version at the moment, so I’m hoping to get this working on the version we’re currently using if possible.

I have another alert setup exactly the same as this one for a different stream (same errors but for a different region) and that alert seems to notify correctly when there are no messages. So I can’t understand why this alert is triggering incorrectly.

6

Hello,

Looking at your config it should work. Since you stated that there is another server thats set up the same way without issues.The only thing I can think of right now would be check you time/date on the Graylog server is correct.

What do you see when you execute this?

timedatectl

When you navigate to System --> Overview under Time configuration is it correct?

7

The time configuration is set to UTC, as we have multiple sites in different regions that log to the same graylog server. The dates and times of the messages in the stream all look okay to me. The alert that is working correctly is on our UK site (UTC+1), and the alert that is triggering incorrectly is on our US site (UTC-7).

However, there have been messages in the stream every hour for the last 7 days, so the alert should not have triggered on the 2nd August…

2021-08-05 09_28_44-Graylog Web Interface - Stream US _ Production _ Job Scheduler _ Transaction Not
2021-08-05 09_28_44-Graylog Web Interface - Stream US _ Production _ Job Scheduler _ Transaction Not1412×320 20.4 KB

8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.