I got a stream that receives messages from server A, Server A is a oracle database
Server A logs a few things, all these outputs are collected by logstash (using jdbc queries) and written to ONE logfile (in json) , filebeat reads it and send it over to our graylog server.
The log contains different keys depending on the type of action monitored
- audit logging based on useractivity (sql query on audit table)
- audit settings on oracle level (select statement to system tables)
the audit logging has about 10 keys that map to each queried column in the audit view,
the audit settings query logs it’s values fairly simple as filebeat_key and filebeat_value.
I wrote a alert condition based on
filebeat_key: audit_dest_file AND NOT filebeat_value:/somedir
I’m aware that this value will only become active/change when DB is restarted, but this isn’t the issue. The issue is that even when this value didn’t change upon the previous log entry, it will trigger an alert. I assume it tries to match the condition on an" audit logging", this entry doesn’t contain the fields filebeat_key & filebeat_value so it the condition is TRUE.
What would be the correct way to handle this ? I assume my query string isn’t correct. Although when i use this query on my stream as a filter, it won’t show any hits, thus i concluded it wouldn’t trigger a TRUE condition as well.