I got a stream that receives messages from server A, Server A is a oracle database
Server A logs a few things, all these outputs are collected by logstash (using jdbc queries) and written to ONE logfile (in json) , filebeat reads it and send it over to our graylog server.
The log contains different keys depending on the type of action monitored
eg.
audit logging based on useractivity (sql query on audit table)
audit settings on oracle level (select statement to system tables)
the audit logging has about 10 keys that map to each queried column in the audit view,
the audit settings query logs itās values fairly simple as filebeat_key and filebeat_value.
I wrote a alert condition based on
filebeat_key: audit_dest_file AND NOT filebeat_value:/somedir
Iām aware that this value will only become active/change when DB is restarted, but this isnāt the issue. The issue is that even when this value didnāt change upon the previous log entry, it will trigger an alert. I assume it tries to match the condition on an" audit logging", this entry doesnāt contain the fields filebeat_key & filebeat_value so it the condition is TRUE.
What would be the correct way to handle this ? I assume my query string isnāt correct. Although when i use this query on my stream as a filter, it wonāt show any hits, thus i concluded it wouldnāt trigger a TRUE condition as well.
Could you provide a screenshot of your alert definition configuration and of the message which has triggered the alert (Donāt forget to redact any sensitive info)
What version of GL are you running? That is the old alert system.
Have you put the full path of the filebeat_value field in your alert condition or?
AFAIKā¦
filebeat_value: /oracle/orabck/<REDACTED> will match ā/oracle/orabck/<REDACTED>ā but will not match ā/oracle/orabck/<REDACTED>/audit_sys_operationsā
Add a wildcard if you want to exclude that entire directory or put the full path if you just want to exclude the āaudit_sys_operationsā file.
