Alert Notification

gsmith · September 13, 2019, 3:06am

All,
I’m looking for a way to setup my Notification and/or Alerts for a specific time.
I Created a Stream Called:

Windows: User Successful Logon to Computer

The rules are:

Field EventID must match exactly 4624 (Successful login)
Field LogonType must match exactly 2 (A user logged on to this computer.)

This notifies me when any user/s logged into a Windows machine, from there I configure Event Definitions called:

User Has Logon Outside Business Hours

I’m trying to set it up to receive alerts from the hours of 5PM to 8 AM.
I don’t know if this is possible. I tried to create different field called user_time but it just gave me all the users logged in for the day.

My Environment:
CentOS 7 Latest Version
Graylog 3.1.1+b39ee32
Elasticsearch-6.6.1-1.noarch
Mongodb-org-4.2.0

Also, I looked through here. Maybe I missed something.
https://docs.graylog.org/en/3.1/pages/streams/alerts.html

Any advice, Ideas or direction would be appreciated.
Thank you in advance.

gsmith · September 14, 2019, 2:31am

Think I may have found my answer here;

gsmith · September 17, 2019, 4:09am

Working on the Pipeline rule and cannot seem to get it to work.
I have stream called “Windows: User Successful Logon to Computer” so all users logging in gets dumped in that stream (24/7)
Then I created a pipeline rule for users logging in between 5 and 12 and “trying” to route it to a stream called “User Has Logon Outside Business Hours”.

I tried two different ways to make this happen. The first attempt I had one stage and one rule

My second attempt was to make two Stages and two Rules.

This is my first attempt to make Pipelines, any help would be apperciated, Thank you

gsmith · September 24, 2019, 3:22am

I’m still trying, I think my rule is misconfigure but dont know what could be wrong.

rule “Between 5 and 12”
when
to_long(is_date($message.timestamp).hourOfDay) >= 5 &&
to_long(is_date($message.timestamp).hourOfDay) <= 12
then
set_field(“time_alert”, true);
end

rule “route to stream”
when
has_field(“time_alert”)
then
route_to_stream(id:“5d78402683d72e7e4778f531”);
end

Any help or direction would be apperciated. Thanks

jan · September 24, 2019, 6:50am

as Graylog runs the checks you use on UTC that might not work in your local timezone.

You need to adjust that:

gist.github.com

https://gist.github.com/jalogisch/72455fc830d6e0ab41f0c6aacb1c2bb9

gistfile1.txt

rule "off work hours"
when
	( to_long(to_date($message.timestamp, "Asia/Manila").hourOfDay) >= 0 AND to_long(to_date($message.timestamp, "Asia/Manila").hourOfDay) <= 6 ) OR
	( to_long(to_date($message.timestamp, "Asia/Manila").hourOfDay) >= 18 AND to_long(to_date($message.timestamp, "Asia/Manila").hourOfDay) <= 0 )
then
	set_field("trigger_workhours_off", true);
end


rule "off work weekend"

This file has been truncated. show original

system · October 8, 2019, 6:50am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Get notifications from alerts that come during specific timeframe Graylog Central (peer support)	5	626	March 11, 2019
Graylog Alerting pipelines Graylog Central (peer support)	4	1460	June 27, 2018
Graylog alerting per unique message Graylog Central (peer support) pipeline-rules , route-to-streampl	3	821	November 1, 2017
To mute whole streams alerts on non prod hours Graylog Central (peer support)	9	1262	November 29, 2018
Graylog conditions and alerts: Limit to windows of time? Graylog Central (peer support)	7	1687	February 2, 2019

Alert Notification

Related Topics