I got a stream that receives messages from server A, Server A is a oracle database
Server A logs a few things, all these outputs are collected by logstash (using jdbc queries) and written to ONE logfile (in json) , filebeat reads it and send it over to our graylog server.
The log contains different keys depending on the type of action monitored
eg.
audit logging based on useractivity (sql query on audit table)
audit settings on oracle level (select statement to system tables)
the audit logging has about 10 keys that map to each queried column in the audit view,
the audit settings query logs itâs values fairly simple as filebeat_key and filebeat_value.
I wrote a alert condition based on
filebeat_key: audit_dest_file AND NOT filebeat_value:/somedir
Iâm aware that this value will only become active/change when DB is restarted, but this isnât the issue. The issue is that even when this value didnât change upon the previous log entry, it will trigger an alert. I assume it tries to match the condition on an" audit logging", this entry doesnât contain the fields filebeat_key & filebeat_value so it the condition is TRUE.
What would be the correct way to handle this ? I assume my query string isnât correct. Although when i use this query on my stream as a filter, it wonât show any hits, thus i concluded it wouldnât trigger a TRUE condition as well.
Could you provide a screenshot of your alert definition configuration and of the message which has triggered the alert (Donât forget to redact any sensitive info)
What version of GL are you running? That is the old alert system.
Have you put the full path of the filebeat_value field in your alert condition or?
AFAIKâŠ
filebeat_value: /oracle/orabck/<REDACTED> will match â/oracle/orabck/<REDACTED>â but will not match â/oracle/orabck/<REDACTED>/audit_sys_operationsâ
Add a wildcard if you want to exclude that entire directory or put the full path if you just want to exclude the âaudit_sys_operationsâ file.
