Graylog 3.2 alerts

alex1 · March 10, 2020, 2:31pm

Hi there,

I have setup raw plaintext udp input in order to test some alerts. I was able to send events and search it

echo “Hello Graylog” | nc -w 1 -u 192.168.157.125 5555

After that I have setup following alert filter message:Hello OR source: 192.168.157.125 and I’m able to see the result on Filter Preview

My Group by Field(s) is message and source

The condition is:

IF count() message > 2 OR count() source >2 ANY ANY

Everthing seems ok, but when I send some events there is no alerts

Notification part is working ok, there is no errors in log file
Should I install something additional for alerts ?

alex1 · March 11, 2020, 1:11pm

I found that the problem is only with Aggregation of results reaches a threshold

For example I have tried to setup alert for 2 or more events 5140(S, F): A network share object was accessed.

I use SubjectUserName as filter as you can see from attached screen, and count(), but without any success

system · March 25, 2020, 1:15pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Events based on NOT receiving a message Graylog Central (peer support)	2	930	July 8, 2021
Alert if no logs Graylog Central (peer support)	3	2907	March 11, 2020
Send alert based on message content Graylog Central (peer support)	3	3031	October 10, 2017
Alerts Not Triggering Graylog Central (peer support)	5	1318	May 2, 2018
Graylog 3.1 Alert Notification using Event Definition with Aggregation Graylog Central (peer support)	15	2470	January 5, 2020