Alert Notification cannot be set

Hey y’all.

I am encountering behaviour which makes it impossible for me to set a notification trigger for an alert event definition I have defined.

See this video - it describes what is happening better than I could do with words.

The event definition itself is a pretty simple “Filter & Aggregation” condition event, which looks at a stream, counts all messages with a certain fields, and triggers an alert, if > n messages have occurred in a specific time frame.

The notification is a custom HTTP notification, which fills out a body template with the event details and sends it to a webhook URL. Sending test notifications works fine.

  • OS Information: Docker 26.1.1 on Debian 12, Linux 6.1.0-21-amd64

  • Package Version: Graylog Open 6.0.2 in Docker Compose with mongo 6.0.5-jammy and opensearch:2. See docker-compose.yml below for further details

  • Service logs, configurations, and environment variables:

docker-compose.yml:

networks:
  graynet:

volumes:
  mongo_data:
    driver: local
  log_data:
    driver: local
  graylog_data:
    driver: local

services:
  # Graylog stores configuration in MongoDB
  mongo:
    image: mongo:6.0.5-jammy
    container_name: mongodb
    volumes:
      - "mongo_data:/data/db"
    networks:
      - graynet
    restart: unless-stopped

  # The logs themselves are stored in Opensearch
  opensearch:
    image: opensearchproject/opensearch:2
    container_name: opensearch
    environment:
      - "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx4g"
      - "bootstrap.memory_lock=true"
      - "discovery.type=single-node"
      - "action.auto_create_index=false"
      - "plugins.security.ssl.http.enabled=false"
      - "OPENSEARCH_INITIAL_ADMIN_PASSWORD=XXXXXXXXX"
      - "plugins.security.disabled=true"
    volumes:
      - "log_data:/usr/share/opensearch/data"
    ulimits:
      memlock:
        soft: -1
        hard: -1
      nofile:
        soft: 65536
        hard: 65536
    ports:
      - 9200:9200/tcp
    networks:
      - graynet
    restart: unless-stopped

  graylog:
    image: graylog/graylog:6.0.2
    container_name: graylog
    environment:
      # CHANGE ME (must be at least 16 characters)!
      GRAYLOG_PASSWORD_SECRET: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
      GRAYLOG_ROOT_PASSWORD_SHA2: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
      GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9XXX"
      GRAYLOG_HTTP_EXTERNAL_URI: "http://XXX.XXX.XXX.XXX:9XXX/"
      GRAYLOG_ELASTICSEARCH_HOSTS: "http://admin:XXXXXXXXX@opensearch:9200"
      GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog"
      GRAYLOG_TIMEZONE: "Europe/Berlin"
      TZ: "Europe/Berlin"
      GRAYLOG_TRANSPORT_EMAIL_PROTOCOL: "smtp"
      GRAYLOG_TRANSPORT_EMAIL_WEB_INTERFACE_URL: "http://XXX.XXX.XXX.XXX:9XXX/"
      GRAYLOG_TRANSPORT_EMAIL_HOSTNAME: "outbound.mailhop.org"
      GRAYLOG_TRANSPORT_EMAIL_ENABLED: "false"
      GRAYLOG_TRANSPORT_EMAIL_PORT: "587"
      GRAYLOG_TRANSPORT_EMAIL_USE_AUTH: "true"
      GRAYLOG_TRANSPORT_EMAIL_AUTH_USERNAME: "xxxxx"
      GRAYLOG_TRANSPORT_EMAIL_AUTH_PASSWORD: "xxxxx"
      GRAYLOG_TRANSPORT_EMAIL_USE_TLS: "true"
      GRAYLOG_TRANSPORT_EMAIL_USE_SSL: "false"
      GRAYLOG_TRANSPORT_FROM_EMAIL: "graylog@example.com"
      GRAYLOG_TRANSPORT_SUBJECT_PREFIX: "[graylog]"
    entrypoint: /usr/bin/tini -- wait-for-it opensearch:9200 -- /docker-entrypoint.sh
    volumes:
      - "${PWD}/config/graylog/graylog.conf:/usr/share/graylog/config/graylog.conf"
      - "graylog_data:/usr/share/graylog/data"
    networks:
      - graynet
    restart: always
    depends_on:
      opensearch:
        condition: "service_started"
      mongo:
        condition: "service_started"
    ports:
      - 9XXX:9XXX/tcp   # Graylog web interface and REST API
      - 5XXX:5XXX/udp     # DH2-Agents Filebeat
      - 5XXX:5XXX/tcp     # DH2-Agents Filebeat

Information marked as XXXX has been redacted for privacy reasons.

To try and solve this issue, I have

  • Logged out and back in in my Firefox 126.0 browser using the admin user, to make sure the session wasn’t the issue
  • Updated from graylog 6.0.0 to graylog 6.0.2
  • docker compose pulled the other docker containers to their newest respective versions
  • Restarted the server
  • Restarted the docker containers using docker compose stop and docker compose up -d

Does anyone have suggestions for how to solve this issue? If additional information is required, I am happy to share it.

Thank you for your time!

It’s a UI bug. I filed an issue:

You just have to click the Add Notification button twice.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.