Count of each unique message text per backlog entry in event / notification?

Graylog Central (peer support)
1

Hello,

I have been trying to find a solution where I could check daily the list of error logs and summarize the message values with the same text and the count of each message type and include the results in a notification.

“User could not log in” x 3
“Invalid IP trying to access backend” x 1
“Invalid password when logging in” x 2

Instead of including all the backlog with the same messages:
User could not log in
User could not log in
User could not log in
Invalid IP trying to access backend
Invalid password when logging in
Invalid password when logging in

Trying to work out how to do this aggregation and include the count as a field in the backlog entry?

Cheers,
Mason

2

@masonb81

I maybe able to help.

My solution for this would be Graylog 4. Under Alerts tab.

image
image1835×949 143 KB

Is this what your referring to?

If so, this is my Event Definition Summary, For my notification I’m using default template.

image
image1897×859 54.9 KB

EDIT: Sorry I’v been work for two days, Tired :slight_smile: . I just noticed you are also talking about notifcation configuration also. This is posible in creating a notification for your Event Definition.

Here is a example of my unique notification

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Stream URL:           ${event.stream_name}          
${if stream_url}Stream URL: ${stream_url}${end}

${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
https://graylog.doamin.com:9000/messages/${message.index}/${message.id}

User:                           ${message.fields.TargetUserName}
WorkStation Name:               ${message.fields.WorkstationName}
Event Time:                     ${message.fields.EventReceivedTime}
Source:                         ${message.source}
Logon Type:                     ${message.LogonType}
---[backlog end]---------------------------------
${end}
${end}

This is my email received.

image
image847×639 17.6 KB

Hope that helps.

1 Like
3

Hi,

I was hoping more to include all of the backlog messages into a single notification but instead of showing messages with the same message text that it would group by them and show the count so the notification content would look similar to this:

“Incorrect password” x 2
“DB connection error” x 5
“User cannot login” x 3

Instead as these are separate messages my notification looks like this at the moment:

Incorrect password
Incorrect password
DB connection error
DB connection error
DB connection error
DB connection error
DB connection error
User cannot login
User cannot login
User cannot login

I guess the core of my question is how can I group by the short message field and include the count of those within the backlog? maybe it’s not possible but thought I would ask.

Cheers again.
Mason

4

Hello,

Are all these alerts in one stream?

The Create Events for Definition does have the count which shows message count in the notification but as for notifications to group them up on the free version of Graylog, I personally haven’t seen that yet.
I know this is not what you want, but you can accomplish this with three different streams and three different Events for Definition. Just an idea.

5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.