Event Defenistion on two results

1. Our question:

Hi All, we are trying to create an alert definition that should be the sum of two results.

In short CsapLocAisTxServer1 AND CsapLocAisTxServer2 but they won’t come in one
document / message and could be coming in over more that 30 minutes.

If one service is down it is not a problem, if both services are down an alert should
be provided by the alerting system.

Is this possible in one event definition or do one have to create both Event Definitions
and create a third that does a correlation of the first two rules?

2. Describe your environment:

• Rocky Linux 8

• Package Version:
  Graylog 4.3.13+7f1d15d Enterprise

• Service logs, configurations, and environment variables:

4. How can the community help?

Help to provide an answer or solution

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

Hey @Arie

In the Event definition have you tried to configure the section Create Events for Definition if…

If you have a license the Event Correlation might work for you. Just an idea

Hello,

If you haven’t the Enterprise license you can try our plugin GitHub - airbus-cyber/graylog-plugin-alert-wizard: Alert Wizard plugin for Graylog to manage the alert rules. Choose the “AND” type. In backend it will create 2 Streams, 1 for CsapLocAisTxServer1 and 1 for CsapLocAisTxServer2, and the rule will trigger only if there is 1 log in both streams on the same period (with some fields in common like source).

Hi @gsmith

Trying right now thank you.

The search is

hostname:sbais.aismux AND HTTP AND HARD AND CRITICAL AND CsapLocAisTxServer*

and the aggregation is IF (count) Is > 1

Checked it with some old events

Kind greetings,

Arie

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.