Alert condition triggered but can't see why

I got a stream that receives messages from server A, Server A is a oracle database

Server A logs a few things, all these outputs are collected by logstash (using jdbc queries) and written to ONE logfile (in json) , filebeat reads it and send it over to our graylog server.

The log contains different keys depending on the type of action monitored
eg.

  • audit logging based on useractivity (sql query on audit table)
  • audit settings on oracle level (select statement to system tables)

the audit logging has about 10 keys that map to each queried column in the audit view,
the audit settings query logs it’s values fairly simple as filebeat_key and filebeat_value.

I wrote a alert condition based on
filebeat_key: audit_dest_file AND NOT filebeat_value:/somedir

I’m aware that this value will only become active/change when DB is restarted, but this isn’t the issue. The issue is that even when this value didn’t change upon the previous log entry, it will trigger an alert. I assume it tries to match the condition on an" audit logging", this entry doesn’t contain the fields filebeat_key & filebeat_value so it the condition is TRUE.

What would be the correct way to handle this ? I assume my query string isn’t correct. Although when i use this query on my stream as a filter, it won’t show any hits, thus i concluded it wouldn’t trigger a TRUE condition as well.

Could you provide a screenshot of your alert definition configuration and of the message which has triggered the alert (Don’t forget to redact any sensitive info)

settings below

What version of GL are you running? That is the old alert system.

Have you put the full path of the filebeat_value field in your alert condition or?

AFAIK…

filebeat_value: /oracle/orabck/<REDACTED> will match ‘/oracle/orabck/<REDACTED>’ but will not match ‘/oracle/orabck/<REDACTED>/audit_sys_operations’
Add a wildcard if you want to exclude that entire directory or put the full path if you just want to exclude the ‘audit_sys_operations’ file.

Graylog 3.0.2+ is what we are running

the full condition is

filebeat_name: audit_file_dest AND NOT filebeat_value: /oracle/orabck//audit_sys_operations

Hmm okay…

If you run that search yourself against the stream, does it also return the undesired message?

Not sure if the space you are putting before the value will have an impact but, you could try removing that as well.

it seems that adding quotes did solve the problem

filebeat_name:“audit_file_dest” AND NOT filebeat_value:"/oracle/orabck/<REDACTED>/audit_sys_operations"

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.