Graylog Alerting pipelines

Hello community !

I want to know if it is possible to create an alert and apply it to a time slot

Exemple: have an unsuccessful ssh connection between 00:00 and 06:10

Would it be possible to have a syntax to use processing pipelines for tchecking on the time

For exemple : tchecking between 00:00 and 06:00 every day

Thanks for your feedback

As @jan already described in Graylog Alerting Question, you could write a pipeline rule which checks if the “timestamp” field contains a timestamp between 0 and 6 o’clock, and then set a custom flag field.

Once the field’s there, you can create an alert condition which checks the field content and triggers an alert if your conditions have been met.

Example:

rule "Between 0 and 6 o'clock"
when
  to_date($message.timestamp).hourOfDay >= 0 && to_date($message.timestamp).hourOfDay <= 6
then
  set_field("trigger_alert", true);
end

Hello community !

Thank you for your reply

I want to do other scenarios, such as the detection of several unsuccessful ssh attempts, followed by a success for the same user, is it possible to do that on graylog ?

Thanks for your feedback

You could probably build something like this with the 3rd party SLookup plugin.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.