I want to generate an alert if graylog receives no logs from certain sources for a given period of time.
I swear I had this working in Graylog 3.1.3 by defining an event:
with the appropriate filter
no Group By
Search within the last 5 min
Execute search every 5 min
the following aggregations for 2 different use cases (at the time it was first set up, I didn’t have a container_name for the 2nd case):
count(container_name) = 0
count(message) = 0
After upgrading to 3.2.2, the event is always raised, even if there are logs coming in.
I also tried using count() = 0, but that didn’t help.
What am I doing wrong here? Am I misinterpreting what count() does?
The only other thing I changed recently was to add replicas to my ElasticSearch config. I also recently noticed a lot of Graylog “Fielddata is disabled on text fields by default” logs, but I’m not sure when that started happening. By changing the above count(message) to count(container_name), those logs stopped.
I already tested the count() = 0 aggregation for your use case and it works for me. However I want to mention that it has a per-condition which is not clear. For the Event Engine work as expected, you need a constant flow of any log messages. To say it in other words, if no logs at all are received by Graylog, then the Event Engine stops working.
I have another user who has a similar problem but I could not figure out the problem yet. So I am happy if you can let me know if you see anything suspicious in the logs.
I would suggest now, that you use count() = 0 and adjust rather the filter accordingly and see if you have a constant flow of logs.
@konrad
Thanks for the quick response.
Note that what I’m seeing is the event getting raise even if there are matching logs. The Filter Preview shows the logs ok. I tried deleting the event definition and re-creating it, but that didn’t help. I don’t see anything related in the Graylog logs.
Richard