Alert notifications should be bound to alert conditions instead of streams

Graylog Central (peer support)
1

Hello,

First of all, this new forum looks great! Good job!

I have long waited to see the renewed Alerts system in Graylog 2.2.0. I have done an upgrade to my test environment and I have been playing with the new alerts.

So my concern is that alert notifications still seem to be bound to streams? I wish they would be bound to alert conditions, so that would allow custom and specific email messages based on the alert condition.

For example (not a real-life scenario): There is a stream called Syslog. I’ll create an alert condition “Alert when the message count is more than 100000 in the last 5 minutes” and bind this to the stream Syslog. Now, I’d like to send an email to "foo@baz.com" when this alert condition triggers. I’ll create another alert condition “Alert when the message count is less than 50 in the last 5 minutes” and bind this to the stream Syslog too. And now, I’d like to send email to "bar@baz.com" when this alert condition triggers.

I think I cannot do this within a single stream? I’d need to create two streams with the same syslog messages. And then one alert condition would be bound to the first stream, and another alert condition would be bound to the second stream. This way I could have individual alert notifications, but I’d like to have them without multiple streams.

Please correct me if I’m wrong. :slight_smile: Thanks.

Br,
Henri

2 Likes
2

Hej @hezor

you are right, currently your given scenario is not possible. But we already have some feature issues on github that address this:

https://github.com/Graylog2/graylog2-server/issues/3475

Additional the feature to be able to search on multiple streams with some virtual or meta stream would solve your issue

https://github.com/Graylog2/graylog2-server/issues/3473

or at least give you an option how to solve this.

Please feel free to add your use case to the issues to give them more examples.

2 Likes
3

Hello,

I totally agree with Henri.

It seems reasonnable to configure streams per kind of information. For Example:

  • API Monitoring logs for Production environment
  • API Monitoring logs for non-Prod environment
  • API Runtime logs for Production environment
  • API Runtime logs for non-Prod environment

Based on 1 stream (i.e. kind of information), we may need to trigger multiples alerts based on conditions, like:

  • Alert Team#1 if status=failed and asset=client_api_v1 within stream and such messages>5 for stream “API Monitoring logs for Production environment”
  • Alert Team#2 if status=failed and asset=supplier_api_v1 within stream and such messages>2 for stream “API Monitoring logs for Production environment”
    and so on …

Am I using streams the right way ? (i.e for a kind of data)

Is the scenario now possible from a recent version of graylog ?

PS: I don’t think that the 2 links on github address this specific issue.

Thanks,

Guillaume

4

@yomgui666

if the specific issues does not reflect your wanted feature, feel free to open a new!

As of time of writing the current stable Version 2.4.6 did not have that and as you can see it is targeted for the nest major release.