Duplicate Events with AWS plugin

We recently upgraded to 3.1 from 3.0. Our alerts and notifications were migrated to the new alert system. We have a stream set up to filter certain AWS events. Because of the up to 20 minutes latency between the time the event actually occurs in AWS and the time the corresponding message is received by graylog we have the alerts configured to search within the last 20 minutes, checking every minute. This worked fine in 3.0 and previous versions. With the new system we are getting an event and subsequent notification created every minute from the time the message makes it over to graylog until the timestamp on the event is older than 20 minutes. If I shorten the search window we miss the message altogether because the timestamp on the message is the time the event occurred in AWS, not the time it was received by graylog. How can we work around this?

I’ve isolated the problem to a change in the server, not the plugin. Went back to graylog-plugin-aws-3.0.2.jar and the behavior is the same—it uses the timestamp in the message rather than the receive time to decide how old the message is.

you might want to open a bug report to make it visible to the developers.

Submitted as https://github.com/Graylog2/graylog2-server/issues/6456. (Put under graylog-server because the 3.01 plugin with the 3.1 server behaves the same way to the issue is the server)

running this combination of plugins and server is something that is not supported by Graylog - just that you know.

thank you for the issue.

I assume you mean the 3.0x plugin. I ran that just as a test on the off chance that the change in semantics was due to the plugin. In production we’re using the 3.1 plugin.

yes - running Graylog server of one specific version with a plugin that is not written for that version is not tested and supported.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.