Hi,
So we have an instance of Graylog which is 2.1.3 and we’re trying to get our alerting working. We have configured everything so that it should work, we can receive test email alerts however alert condition aren’t being triggered.
Here you can see the alert conditions:
Here you can see messages in the stream:
As you can see the alert conditions are being met however they aren’t actually being triggered.
There isn’t anything in the log filed that relates to this.
G
Still can’t get alerting to work, can anyone offer any assistance?
G
We have now upgraded to 2.2.3 and still no joy. I have configured alert conditions which should be triggered but aren’t.
Please can I get some help on this, I urgently need to fix it.
Thankyou in advance
G
Hej @GTownson
sorry that is something that can’t debugged with a 
- you should check if the condition you have in the alert can be found by a search to be sure that it works.
Hi Jan, I have verified that multiple different conditions are being met. I have one that is set to alert when the field ‘Channel’ has a value of ‘Security’ and it still won’t alert.
The only alert I can get to work is when ‘All messages’ has less than 4000 logs per minute.
Have I configured something completely wrong as to my knowledge this should work fine?
Thanks,
G
Slight update, the rule that works (less than 4000 messages a minute in ‘All messages’) seems to tell me that the alerting can’t actually see anything in the streams.
This Graylog instance is currently getting about 2k messages in the past 5 minutes.
Any more ideas?
Thanks,
G
I’ve set Graylog to debug mode and found this in the logs.
2017-07-07T14:34:10.813+01:00 DEBUG [AlertScannerThread] Stream [000000000000000000000001: "All messages"] has [3] configured alert conditions.
2017-07-07T14:34:10.813+01:00 DEBUG [ConfigurationRequest] Checking for non-optional field field of type text in configuration
2017-07-07T14:34:10.814+01:00 DEBUG [ConfigurationRequest] Checking for non-optional field value of type text in configuration
2017-07-07T14:34:10.814+01:00 DEBUG [ConfigurationRequest] Checking for non-optional field grace of type number in configuration
2017-07-07T14:34:10.814+01:00 DEBUG [ConfigurationRequest] Checking for non-optional field backlog of type number in configuration
2017-07-07T14:34:10.814+01:00 DEBUG [ConfigurationRequest] Checking for non-optional field field of type text in configuration
2017-07-07T14:34:10.814+01:00 DEBUG [ConfigurationRequest] Checking for non-optional field value of type text in configuration
2017-07-07T14:34:10.814+01:00 DEBUG [ConfigurationRequest] Checking for non-optional field grace of type number in configuration
2017-07-07T14:34:10.814+01:00 DEBUG [ConfigurationRequest] Checking for non-optional field backlog of type number in configuration
2017-07-07T14:34:10.814+01:00 DEBUG [ConfigurationRequest] Checking for non-optional field time of type number in configuration
2017-07-07T14:34:10.814+01:00 DEBUG [ConfigurationRequest] Checking for non-optional field threshold_type of type dropdown in configuration
2017-07-07T14:34:10.814+01:00 DEBUG [ConfigurationRequest] Checking for non-optional field threshold of type number in configuration
2017-07-07T14:34:10.814+01:00 DEBUG [ConfigurationRequest] Checking for non-optional field grace of type number in configuration
2017-07-07T14:34:10.814+01:00 DEBUG [ConfigurationRequest] Checking for non-optional field backlog of type number in configuration
2017-07-07T14:34:10.816+01:00 DEBUG [FieldContentValueAlertCondition] Alert check <aef1240c-9e84-46db-8d7c-18b25624612c> returned no results.
2017-07-07T14:34:10.816+01:00 DEBUG [AlertScanner] Alert condition [aef1240c-9e84-46db-8d7c-18b25624612c:field_content_value={field: source, value: xxxxxxxxxxxxxxxxxxxx: "All messages"}] is not triggered and is marked as resolved. Nothing to do.
G
I have resolved the problem. I had the Aggregates plugin version 1.0.1 installed and configured, and am running Graylog 2.2.3.
I read somewhere that plugins may interfere with Graylog’s own Alerting, so I have just completely removed the Aggregates plugin and restarted the Graylog service. This seems to have now fixed the issue as I received an Alert that the ‘All Messages’ stream had more than 1 messages in a minute. I will test further and report back if there are any other issues.
G
Hej G,
you should notify the Plugin author about that issue - this would be the best solution to have it working.
Removing the Aggregates plugin allows me to create alerts on message count condition and they work perfectly. However alerts will not work on message content aggregation or message field content.
Any Ideas?
I will also get in contact with the plugin author
.
G
Still having no luck, I can alert on Message Count but not on actual Message Content.
I have another Graylog instance on the same version so copied and pasted the Server.conf over (changed IP’s etc.) to see if something in the config was an issue, but the alerts still don’t work.
Could anyone explain how alerting actually works in the backend as then I may be able to have a clearer picture of what could be wrong.
Thankyou in advance,
G
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.