Backlog - finding related logs

damian · July 21, 2017, 1:59am

Hello

We have installed Graylog to use for capturing logs from our integration platform.

Our desire is trigger an alert on particular attribute ( i.e. level = ERROR ) in a log, and then see all the logs that are related to that log in an automated email (notification)

The context is that we add a unique value to a message as it passes through our integration platform, a correlation-id field.
This field is included in all logs related to that message as it passes between systems in our infrastructure.

What we are looking to do is

trigger an alert based on condition ( i.e. level = ERROR )
capture the value in the correlation-id field
populate the backlog with all logs that have the same correlation-id
create a notification using backlog, which now has all log messages corresponding to the triggering message

I can’t seem to find a way to make this work, either by searching for just those messages as described above, or alternatively choosing a large backlog (100+) and then filtering out logs which are not desired (i.e. different correlation-id value).

Can someone please tell me

if what we are looking for is achievable ?
if the way that needs to be achieved is by creating a plugin, or some other mechanism, can someone please point me in the right direction so that I can start to investigate how we can implement that functionality.

Thanks kindly

Damian

jan · July 21, 2017, 7:36am

Hej @damian

currently your request is not possible with vanilla Graylog. You need to write your own alerting plugin that is capable doing this. Or you are scripting something yourself using the API of Graylog.

What is important about plugins is written in the documentation.

damian · July 24, 2017, 12:13am

Hello

Thanks, I will start my plugin from the sample on the github (i.e. https://github.com/Graylog2/graylog-plugin-sample/tree/2.2 )

I have also had a look at the documentation (and samples) for alert conditions and alert notifications :
http://docs.graylog.org/en/latest/pages/plugins/alert_conditions.html#alert-conditions-api
http://docs.graylog.org/en/latest/pages/plugins/alert_notifications.html#alert-notifications-api

I can’t see any mention of the “backlog” attribute / class, should I be able to find this in API documentation ?
or should I just start as above and once the relevant classes are added to the project use code complete etc to browse for the relevant class attributes to find the backlog ?

Thanks in advance
Damian

system · August 7, 2017, 12:13am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Notifications, Related / Grouped Log Messages - Integrated Applications Use Case Graylog Central (peer support)	0	414	April 2, 2017
Send alert based on message content Graylog Central (peer support)	3	3162	October 10, 2017
Alerts and further information Graylog Central (peer support)	8	980	June 11, 2018
Alert: logID + log content Graylog Central (peer support)	2	443	January 2, 2020
Notifications on Unique instance Graylog Central (peer support)	2	494	October 2, 2017

Backlog - finding related logs

Related topics