Alert configuration, message count/grace period?

I have some trouble wrapping my head around edge cases for alerts and I’m hoping someone can enlighten me.

  • Use case 1: An alert for every message matching the alert condition is desired, no matter how many. Example: SSH login from a special account (say "root). Howto do this?

  • Use case 2: An alert for only the first message matching the alert condition is wanted IF the following matching messages are within fixed time intervals. Example: log in to an admin UI keeps refreshing and thereby repeating the login message every 15 minutes. I want to receive an alert for the first message only.

I’ve tried messing with message counts and grace periods but I can’t get it to work. Any pointers would be much appreciated!

Any ideas? Am I asking for something obvious that I just don’t see here?

he @x0n

you did not share what Graylog version you are using. Because of the rework of alerting this is fundamental different.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.