Alert if no logs

I want to generate an alert if graylog receives no logs from certain sources for a given period of time.

I swear I had this working in Graylog 3.1.3 by defining an event:

  • with the appropriate filter
  • no Group By
  • Search within the last 5 min
  • Execute search every 5 min
  • the following aggregations for 2 different use cases (at the time it was first set up, I didn’t have a container_name for the 2nd case):
    • count(container_name) = 0
    • count(message) = 0

After upgrading to 3.2.2, the event is always raised, even if there are logs coming in.
I also tried using count() = 0, but that didn’t help.

What am I doing wrong here? Am I misinterpreting what count() does?

The only other thing I changed recently was to add replicas to my ElasticSearch config. I also recently noticed a lot of Graylog “Fielddata is disabled on text fields by default” logs, but I’m not sure when that started happening. By changing the above count(message) to count(container_name), those logs stopped.

Hello Richard,

So first of all do not use message or full_message in Aggregation. We have already a opened a bug for that: to prevent selecting fields from type text.

I already tested the count() = 0 aggregation for your use case and it works for me. However I want to mention that it has a per-condition which is not clear. For the Event Engine work as expected, you need a constant flow of any log messages. To say it in other words, if no logs at all are received by Graylog, then the Event Engine stops working.

I have another user who has a similar problem but I could not figure out the problem yet. So I am happy if you can let me know if you see anything suspicious in the logs.

I would suggest now, that you use count() = 0 and adjust rather the filter accordingly and see if you have a constant flow of logs.

Best regards,

Thanks for the quick response.
Note that what I’m seeing is the event getting raise even if there are matching logs. The Filter Preview shows the logs ok. I tried deleting the event definition and re-creating it, but that didn’t help. I don’t see anything related in the Graylog logs.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.