Hello, I’m pretty new to Graylog so hopefully I’m not missing something that is clearly stated in the docs, but I have an alerting question.
I am trying to set up alerts that trigger for things like port locks, AD account lockouts, etc. I can get the streams and alerts configured correctly and they trigger when they are supposed to. The issue I am running into is that, say for an AD account lockout, the alert stays unresolved and I get a steady stream of emails about the account lockout.
What I am looking for is a way to set it up so that things like AD lockouts, port locks, etc. trigger a single email about the event and then, I guess, reset back to a resolved state so that it can be triggered again by a different instance of the alert.
I just need a single notification email about an account lockout, port lock, what have you. Is this something that can be done? Am I just missing something and/or not fully understanding the alert config options? Thanks in advance for any help and assistance.