Event Definition Summary

Graylog Central (peer support)
1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
Hi everyone, I want to configure event definition so graylog would execute search only once and it should collect all logs and send to me in one notification. For example I wrote a pipeline which tells graylog to execute search after 6 o’clock everyday and at 9 in the morning it should stop the search. I want to configure Event Definition to execute search only once from 6 to 9 like summary and send me all logs that have been captured during this time. If it is possible please help. Thanks!

2. Describe your environment:

  • OS Information: Centos Linux 7

  • Package Version: 4.3.5

  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?

I have created the event notification and pipeline.

1
1952×867 29.1 KB

2
2957×875 52.5 KB

3
31864×711 67.6 KB

4
41888×878 51.1 KB

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

2

Hello @turb0snail

I have done something similar, its is in three parts.

  1. Pipeline executing the search on a specific date/time and route those logs into a custom stream.
  2. Event Definition Search within the last (search, past time), & Execute search every.
  3. Notifications Grace Period, (Basically how long to wait to send notification)

For example I have a user logon after hours ( Alert) && I also have user logon weekends.
I have three rules connected to one pipeline.

image
image1290×780 42.2 KB

As for setting a specific time (i.e., 9PM) to send the alert I haven’t seen one, its basically dump it in a stream an set your search parameters/backlogs needed. Unless someone else here has done this.

With the Operation/Enterprise version you can.
Example:

image
image1591×769 78.7 KB

Hope that helps

1 Like
3

Hi, gsmith for answer, could you please elaborate your pipeline section, as you can see in my pipeline there are two of them. In first stage I am setting out_of_work hours and in second stage I am implementing nonworkdays pipeline. However in your pipeline you wrote Route to stream rule. But I am not routing messages to the stream why you wrote this rule and could you please share this rule code.

1
1940×811 42.9 KB

This is mine workdays rule for DC.

4

Additionally, sometimes these pipeline rules is not working correctly and after rebooting the system, pipeline is starting to work. By the way thanks for sharing this valuable information with me it seems to me that reporting system is available only in enterprise mode.

5

Hello

Yes, you can find it here…

The reason I have route_to_stream is for my event definition. while back I had some white noise so I decided to configured it this way. Soon as the logs hit this stream I can fine tune my Search within the last
Example:

image
image1043×668 29.3 KB

What I tried to do is make it Simple, Accurate, and Reliable.

2 Likes
6

Thank you for response that helped to me

1 Like
7

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.