Alerts not being triggered for [ALL MSgs]


(Anas) #1

hi everyone,
i have an issue with alerting systeme ing raylog, even tho the messages are passing the rule, not all of them triggering alerts, some work some no, smae grok, same format, but not all of them working

stream : ssh bruteforce
rule : message must contain Disconnecting: Too many authentication failures for
alert condition : Alert is triggered when there are more than 0 messages in the last 3 minutes. Grace period: 1 minute. Not including any messages in alert notification.

i tried increasing time window to 3 and 5, same thing

Thanks in advance

Anas


(Philipp Ruland) #2

Hey @patriote,

which version of Graylog are you using?
Depending on your version or your settings, Graylog will only fire the alert once and wait until the rule is no longer satisfied (stateful notifications). Every message after the first one that triggered the alert will keep the rule satisfied, but will not trigger another notification to be sent.

One way to improve the behaviour is to set the search timerange to 1 minute and remove the grace period. This would remove 3 minutes of time where no new notification would be sent.

Greetings - Phil


(Anas) #3

Thanks for the reply philipp,
Graylog v2.1.2 , and i already tried what you said,

nothing changed
still recieving alerts only from some machines, even tho they send the smae log message wich is filtered correctly in the stream rule.

i dont understand realy


(Philipp Ruland) #4

Is the list of machines that don’t trigger the alert consistent? If yes, then it could be an unknown error inside your stream configuration or something inside Graylog.

If this list is not consistent, it will most likely just be because the system sends it’s message while another machine has already sent a message that triggered an alert.


(Anas) #5

could be what you said “it will most likely just be because the system sends it’s message while another machine has already sent a message that triggered an alert.”

any way, i’ve managed to do something similare for those i dont recieve their alerts, +5 failed auth = triggering alert

cheers
Anas


(Andy Badera) #6

I feel like we’re in the same boat with 2.1.3. Have you achieved any resolution?


(Anas) #7

i was forced to use different streams which do the same thing for each of my linux servers . i didnt understand why it didnt work but yea i had to do it this way


(Andy Badera) #8

I think our problem was using “0” for the time frame. Creating new conditions still didn’t work until I deleted the old conditions with “0” in the time field. As in, “more than 0 occurrences in the last 0 minutes.” I read somewhere that 0 is special/funny with Graylog alert conditions. Alerts have worked as expected for weeks now.