Graylog Alerting pipelines


(smigal) #1

Hello community !

I want to know if it is possible to create an alert and apply it to a time slot

Exemple: have an unsuccessful ssh connection between 00:00 and 06:10

Would it be possible to have a syntax to use processing pipelines for tchecking on the time

For exemple : tchecking between 00:00 and 06:00 every day

Thanks for your feedback


(Jochen) #2

As @jan already described in Graylog Alerting Question, you could write a pipeline rule which checks if the “timestamp” field contains a timestamp between 0 and 6 o’clock, and then set a custom flag field.

Once the field’s there, you can create an alert condition which checks the field content and triggers an alert if your conditions have been met.

Example:

rule "Between 0 and 6 o'clock"
when
  to_date($message.timestamp).hourOfDay >= 0 && to_date($message.timestamp).hourOfDay <= 6
then
  set_field("trigger_alert", true);
end

(smigal) #3

Hello community !

Thank you for your reply

I want to do other scenarios, such as the detection of several unsuccessful ssh attempts, followed by a success for the same user, is it possible to do that on graylog ?

Thanks for your feedback


(Jochen) #4

You could probably build something like this with the 3rd party SLookup plugin.


(system) #5

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.