Graylog 4.1.5 - Notifications - One Mail per Event - No Backlog

Graylog Central (peer support)
1

Hi!

I am trying to setup a notification for aggregated events:
“Filter has results”, Search every 2 min within 2 min, Mail Notification, backlog 50.

But:
One mail is triggered for each event - although they happen within one second. Backlog does always contain one single message and:

Timerange Start: ${event.timerange_start}
Timerange End: ${event.timerange_end}
→ Both Timeranges are empty.

Do you have any idea, why this happens and how to solve this?

Thank you and best wishes!
KPS

2

Hello && Welcome

To help you further I need to ask a couple question. Maybe we can narrow it down.

  1. When these event come in are they all together or to they arrived every 2 minutes? If so have you tried to expand you search time?
  2. What version of Graylog are you using?
  3. Can you show you full configuration of your alert Definition?
  4. What have you done/tried to resolve this issue ?
3

Hi!

When these event come in are they all together or to they arrived every 2 minutes?
As written in my post: The events arrive in a small timeframe - mostly within one second

What version of Graylog are you using?
4.1.5 community

Can you show you full configuration of your alert Definition?
Which part of the config is missing? Filter is working on Stream “All messages”. Search query is: (cat:GPOMgmtReports OR cat:ADVGPOReports) AND NOT cs4:“Computer Version (Sysvol)”

What have you done/tried to resolve this issue ?
I tried to increase the timeframe, but as is seems to be ignored, nothing changed

4

Hello,
Maybe try to adjust you Grace Period?

image
image950×386 17.2 KB

My apologies, I just realize you put your GL version in the title of this post.

5

Hi!

I tried graceperiod, but there is still not a mail with “multiple” backlog-messages. But: now, some messages are just lost.

If a message arrives <60s after the first one, it does just not trigger any notification.

Do you have any other idea?
Thank you for your help

6

Hello,

Let me sum this up so I can get a better idea what’s going on.

  1. You are receiving logs from your remote devices in a small time frame, correct?
  2. Filter configuration is set to Search within the last 2 minutes & Execute search every 2 Minutes and the search query configuration/s is working fine? Does it look like this?

image
image1093×904 48 KB

  1. The Grace Period is set to 0 with a back log of 50?, If so, that a lot of backlogs.
  2. You receive one email notification with one back log?
  3. You want one email with 50 backlogs?

If this is all correct I would try the following to see if that helps. First I would match my notification grace period with my search query.
Something like this.

image
image736×318 14.4 KB

Then I would check my Notification template.
configuration. should look something like this.

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Streams:              ${event.streams}
Source Stream:        ${event.source_streams}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message}
${end}
${end}

If all of those are set then I would check your Aggregation configurations, I’m assume at this point that your configurations may look like this.

image
image1822×480 34.8 KB

Hope that helps

7

Hi!

Thank you for helping me!
I just found my mistake. I was not aware, that I need to set aggregation on the count to get the backlog. Now, everything is working fine!

Thank you!

3 Likes
8

That’s great. Glad I could help . :slight_smile:

9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.