Alert if no logs

I want to generate an alert if graylog receives no logs from certain sources for a given period of time.

I swear I had this working in Graylog 3.1.3 by defining an event:

  • with the appropriate filter
  • no Group By
  • Search within the last 5 min
  • Execute search every 5 min
  • the following aggregations for 2 different use cases (at the time it was first set up, I didn’t have a container_name for the 2nd case):
    • count(container_name) = 0
    • count(message) = 0

After upgrading to 3.2.2, the event is always raised, even if there are logs coming in.
I also tried using count() = 0, but that didn’t help.

What am I doing wrong here? Am I misinterpreting what count() does?

The only other thing I changed recently was to add replicas to my ElasticSearch config. I also recently noticed a lot of Graylog “Fielddata is disabled on text fields by default” logs, but I’m not sure when that started happening. By changing the above count(message) to count(container_name), those logs stopped.

Hello Richard,

So first of all do not use message or full_message in Aggregation. We have already a opened a bug for that: https://github.com/Graylog2/graylog2-server/issues/7510 to prevent selecting fields from type text.

I already tested the count() = 0 aggregation for your use case and it works for me. However I want to mention that it has a per-condition which is not clear. For the Event Engine work as expected, you need a constant flow of any log messages. To say it in other words, if no logs at all are received by Graylog, then the Event Engine stops working.

I have another user who has a similar problem but I could not figure out the problem yet. So I am happy if you can let me know if you see anything suspicious in the logs.

I would suggest now, that you use count() = 0 and adjust rather the filter accordingly and see if you have a constant flow of logs.

Best regards,
Konrad

@konrad
Thanks for the quick response.
Note that what I’m seeing is the event getting raise even if there are matching logs. The Filter Preview shows the logs ok. I tried deleting the event definition and re-creating it, but that didn’t help. I don’t see anything related in the Graylog logs.
Richard

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.