Hey y’all.
I am encountering behaviour which makes it impossible for me to set a notification trigger for an alert event definition I have defined.
See this video - it describes what is happening better than I could do with words.
The event definition itself is a pretty simple “Filter & Aggregation” condition event, which looks at a stream, counts all messages with a certain fields, and triggers an alert, if > n messages have occurred in a specific time frame.
The notification is a custom HTTP notification, which fills out a body template with the event details and sends it to a webhook URL. Sending test notifications works fine.
-
OS Information: Docker 26.1.1 on Debian 12, Linux 6.1.0-21-amd64
-
Package Version: Graylog Open 6.0.2 in Docker Compose with mongo 6.0.5-jammy and opensearch:2. See docker-compose.yml below for further details
-
Service logs, configurations, and environment variables:
docker-compose.yml:
networks:
graynet:
volumes:
mongo_data:
driver: local
log_data:
driver: local
graylog_data:
driver: local
services:
# Graylog stores configuration in MongoDB
mongo:
image: mongo:6.0.5-jammy
container_name: mongodb
volumes:
- "mongo_data:/data/db"
networks:
- graynet
restart: unless-stopped
# The logs themselves are stored in Opensearch
opensearch:
image: opensearchproject/opensearch:2
container_name: opensearch
environment:
- "OPENSEARCH_JAVA_OPTS=-Xms2g -Xmx4g"
- "bootstrap.memory_lock=true"
- "discovery.type=single-node"
- "action.auto_create_index=false"
- "plugins.security.ssl.http.enabled=false"
- "OPENSEARCH_INITIAL_ADMIN_PASSWORD=XXXXXXXXX"
- "plugins.security.disabled=true"
volumes:
- "log_data:/usr/share/opensearch/data"
ulimits:
memlock:
soft: -1
hard: -1
nofile:
soft: 65536
hard: 65536
ports:
- 9200:9200/tcp
networks:
- graynet
restart: unless-stopped
graylog:
image: graylog/graylog:6.0.2
container_name: graylog
environment:
# CHANGE ME (must be at least 16 characters)!
GRAYLOG_PASSWORD_SECRET: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
GRAYLOG_ROOT_PASSWORD_SHA2: "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
GRAYLOG_HTTP_BIND_ADDRESS: "0.0.0.0:9XXX"
GRAYLOG_HTTP_EXTERNAL_URI: "http://XXX.XXX.XXX.XXX:9XXX/"
GRAYLOG_ELASTICSEARCH_HOSTS: "http://admin:XXXXXXXXX@opensearch:9200"
GRAYLOG_MONGODB_URI: "mongodb://mongodb:27017/graylog"
GRAYLOG_TIMEZONE: "Europe/Berlin"
TZ: "Europe/Berlin"
GRAYLOG_TRANSPORT_EMAIL_PROTOCOL: "smtp"
GRAYLOG_TRANSPORT_EMAIL_WEB_INTERFACE_URL: "http://XXX.XXX.XXX.XXX:9XXX/"
GRAYLOG_TRANSPORT_EMAIL_HOSTNAME: "outbound.mailhop.org"
GRAYLOG_TRANSPORT_EMAIL_ENABLED: "false"
GRAYLOG_TRANSPORT_EMAIL_PORT: "587"
GRAYLOG_TRANSPORT_EMAIL_USE_AUTH: "true"
GRAYLOG_TRANSPORT_EMAIL_AUTH_USERNAME: "xxxxx"
GRAYLOG_TRANSPORT_EMAIL_AUTH_PASSWORD: "xxxxx"
GRAYLOG_TRANSPORT_EMAIL_USE_TLS: "true"
GRAYLOG_TRANSPORT_EMAIL_USE_SSL: "false"
GRAYLOG_TRANSPORT_FROM_EMAIL: "graylog@example.com"
GRAYLOG_TRANSPORT_SUBJECT_PREFIX: "[graylog]"
entrypoint: /usr/bin/tini -- wait-for-it opensearch:9200 -- /docker-entrypoint.sh
volumes:
- "${PWD}/config/graylog/graylog.conf:/usr/share/graylog/config/graylog.conf"
- "graylog_data:/usr/share/graylog/data"
networks:
- graynet
restart: always
depends_on:
opensearch:
condition: "service_started"
mongo:
condition: "service_started"
ports:
- 9XXX:9XXX/tcp # Graylog web interface and REST API
- 5XXX:5XXX/udp # DH2-Agents Filebeat
- 5XXX:5XXX/tcp # DH2-Agents Filebeat
Information marked as XXXX has been redacted for privacy reasons.
To try and solve this issue, I have
- Logged out and back in in my Firefox 126.0 browser using the admin user, to make sure the session wasn’t the issue
- Updated from graylog 6.0.0 to graylog 6.0.2
docker compose pull
ed the other docker containers to their newest respective versions- Restarted the server
- Restarted the docker containers using
docker compose stop
anddocker compose up -d
Does anyone have suggestions for how to solve this issue? If additional information is required, I am happy to share it.
Thank you for your time!