last year I installed a Graylog cluster in our organization and it works great .
We recently opened Graylog for other departments who would like to create and edit alarms for their own needs. Currently, they want to create alarms so when a certain application is throwing an error the responsible team and only that team receives an e-mail. Since all notifications of a stream are triggert if only one condition is true a new stream per application is required. So in order to meet their requirements we would have to give them create/edit/read permissions on streams and alerts, but we cannot do that since it would give all users access to all messages by defining a stream rule like “source = *” (departments are not allowed to see logs with sensible information). I also noticed that in order to create alarm conditions/notifications the user requires edit permissions on the stream the alarm is bound to.
I know that with the current version of Graylog, giving users edit permissions on streams allows full access to all messages, but is there a way to allow the users to create and edit alarms without giving them full access? Currently, they have to contact us every time when an alarm has to be created or modified, which happens quite often and is not a great user experiance .
thank you for your replys, I was afraid that this is currently not supported .
I checked the current Issues on GitHub and found mutliple open cases regarding this problem:
Unfortunatlly, there hasn’t been much activity on them after the initial creation so I think this will not be resolved any time soon.
In my opinion, the most promising solution to this problem, besides making the rights on alarms independent of streams, is to allow roles the creation of sub-streams. With that the admins can define a certain space that a role cannot leave while at the same time giving users the flexibility to quickly create and modify their own filters/alarms according to their own needs. There is already an quite old feature request for that (382).
For my case I will probably create a wrapper around the API to provide a workaround.
.
.
.