Graylog 3.2 alerts

alex1 · March 10, 2020, 2:31pm

Hi there,

I have setup raw plaintext udp input in order to test some alerts. I was able to send events and search it

echo “Hello Graylog” | nc -w 1 -u 192.168.157.125 5555

After that I have setup following alert filter message:Hello OR source: 192.168.157.125 and I’m able to see the result on Filter Preview

My Group by Field(s) is message and source

The condition is:

IF count() message > 2 OR count() source >2 ANY ANY

Everthing seems ok, but when I send some events there is no alerts

Notification part is working ok, there is no errors in log file
Should I install something additional for alerts ?

alex1 · March 11, 2020, 1:11pm

I found that the problem is only with Aggregation of results reaches a threshold

For example I have tried to setup alert for 2 or more events 5140(S, F): A network share object was accessed.

I use SubjectUserName as filter as you can see from attached screen, and count(), but without any success

Topic		Replies	Views
Graylog 6.0 Triggering alerts when conditions not met Graylog Central (peer support) alert	5	182	October 11, 2024
To make alert based on frequeny of messages Graylog Central (peer support)	7	695	July 1, 2021
Alerting Not Working 2.1.3 Graylog Central (peer support)	11	1493	July 25, 2017
Graylog Alert Fields are not getting filled when using a Threshold Graylog Central (peer support)	12	414	September 6, 2025
Alert if no logs Graylog Central (peer support)	3	3360	March 11, 2020