If an alert is scheduled to run a query every 5 minutes, searching the previous 5 minutes of events, is it possible that it could miss events? In other words, because of the time it takes the query to run, is it possible that there could be some messages that are not within the 5 minute “history” evaluated when the next check is done 5 minutes later?
I’m trying to determine whether, for very sensitive alerts, I should check every 5 minutes and search 6 minutes of history. I run the risk of a double alert, but that way it seems I am less likely to miss anything.
@mmurdock
Hello,
Actually good question, I dont believe so but i’m not 100% sure. I can you what we have done and its never missed an alert.
As you stated
This alert is for a MSAD GPO was accessed.
In our Event Definition under Filter & Aggregation we have Search within the last set to 1 minute and Execute search every set to 1 minute . The our Aggregation conditions is set to Count() >= 0
For our notifications settings we have Grace Period of 1 second and 5 backlog messages
Sorry its kind of an indirect anwser.
I hope that helps.
Thanks @gsmith , it’s good to get some feedback from others that have their “search within” and “search every” set to the same value. We have a similar situations where we also monitor for MSAD GPO modifications (actually any change to SYSVOL,which includes GPO modifications). Similar to the example I mention above, we’re using values of “search within” 6 minutes and “search every” 5 minutes, with what I will call a “paranoid overlap.” Your example gives me some more confidence that I could set the values to match. I will see if others are doing the same as you.
I agree we have done that multiple time. It doesnt hurt to overlap.
Were actually looking into scaling out Graylog environment for serveral custumers and monitoring MS AD DC just came up a couple weeks ago in a meeting. Here is what we have been testing for a couple months.
This is the full scope in the lab as shown below. I know as soon as a messages enters one of those Stream I will get a alert.
