So I had an interesting case come up where there is interest in monitoring VPN tunnels from appliances. We receive messages telling us a tunnel went down, and a message that the tunnel comes back up.
They would like to trigger an alert if we see a ‘down’ message that is not followed by an ‘up’ message within a specific period of time (say 5 minutes). Currently I have not been able to find any way in Graylog to accomplish this. Anyone have any ideas short of a completely custom alert condition plugin?
@jan unfortunately slookup won’t be able to help with this aspect, as it would only help in backward triggering circumstances (if I see a condition, and I don’t see a previous condition, then fire an alert).
