I am using Graylog to monitor DNS resolution errors.
Is there a way to trigger an alert based on field cardinality? I don’t want to use the absolute number of failed queries per time interval, which can be easily triggered by a single misconfigured client, but on the cardinality of DNS requests and clients IP addresses.
Is there any way to do this? I see that it’s easy to generate graphs of field cardinality, which are really useful. It would be great to be able to generate alerts based on that as well.
I have tried graylog-plugin-aggregation-count and it seems to do what I need although I am not still sure about the results.
Anyway it would be great to have a built in “cardinality” option for condition triggering. Ideally condition triggers should mimic what it is possible to represent in a graph.
