Graylog Alerting Question


#1

Hello, I’m pretty new to Graylog so hopefully I’m not missing something that is clearly stated in the docs, but I have an alerting question.

I am trying to set up alerts that trigger for things like port locks, AD account lockouts, etc. I can get the streams and alerts configured correctly and they trigger when they are supposed to. The issue I am running into is that, say for an AD account lockout, the alert stays unresolved and I get a steady stream of emails about the account lockout.

What I am looking for is a way to set it up so that things like AD lockouts, port locks, etc. trigger a single email about the event and then, I guess, reset back to a resolved state so that it can be triggered again by a different instance of the alert.

I just need a single notification email about an account lockout, port lock, what have you. Is this something that can be done? Am I just missing something and/or not fully understanding the alert config options? Thanks in advance for any help and assistance.


(Shane) #2

In your alert condition, do you have “Repeat notifications” checked?


#3

Shane -

Thanks for the response. I do have that checkbox checked. It says underneath that box “Check this box to send notifications every time the alert condition is evaluated and satisfied regardless of its state.” which reads to me like I would want that checked so that I would be alerted to multiple AD account lockouts even if the first lockout hasn’t been unlocked yet (if unlocking counts as the resolution). So I’d get an email notification when “asmith” get locked, and also get an email notification when “jdoe” gets locked even if “asmith” hasn’t been unlocked yet.

The actual behavior I am seeing though, is that Graylog sends me alert emails over and over for the “asmith” lockout. After I got five emails for the same lockout I turned off the stream so that the emails would stop, but the alert is still sitting as “unresolved”.

What I’m looking for is to get one alert when the “asmith” account gets locked, and one email when the “jdoe”, or any subsequent user account, gets locked. As a sidenote, I’d also like to get an email alert when the accounts are unlocked… but if I can get the lock notification figured out I would just replicate the same setup but have it trigger on unlock events.

As a little bit of backstory, I’m trying to get Graylog set up to be a replacement and enhancement for our existing log collection system. We currently use alerts on account lockouts, port locks, AD modifications, as proactive alerts for helpdesk and as a heads up for things happening on our network. I want Graylog to be able to do this type of alerting as well as provide a much better interface for analyzing log data. It definitely fits the bill for the data analytics, I’m hoping that it can do the alerting piece as well. I think I’m just missing something because of my overall lack of experience with Graylog at the moment.


(Shane) #4

Sorry, I got slammed with some things yesterday =S. You will want to disable the repeat notifications. The keyword in the definition on the alerts page under the repeat notifications, is “state”. When you create an alert, and the alert is triggered, it will go into an unresolved state which you can see under alerts. Sometimes there will be an event there that will be in the process of resolving itself. If you have that repeat notifications selected, it will continue to alert you for an event, even when that alert his in the unresolved state.

To accomplish what you are wanting, set your Grace period to 0, backlog a single message so the actual message will be included in your email, and uncheck the repeat notifications box. If you click on the link below, there is a box under the “Notifications” section that states “Warning” that will go into a little more detail.

http://docs.graylog.org/en/2.4/pages/streams/alerts.html


#5

Shane -

I completely understand, sometimes days get a little wild. I definitely appreciate your help though. I have made the changes you suggested and re-enabled the stream. Now to just wait until someone locks themselves out… only a matter of time around here. I’ll let you know how it turns out.

One question, if the alert goes into an unresolved state for a lockout of “asmith” will it still trigger for a lockout of “jdoe” if the alert is still showing as unresolved?

Also, thanks for the additional documentation, I’m going to take a look at it now.


(Shane) #6

Actually you may be right on that, as depending on the frequency of the attempts, it may stay in the unresolved state and the new user may fall into that same condition. I normally create dashboards for account lockouts, just because I have additional issues in my environment. @jochen could probably enlighten us if that is the case.


#7

Good morning. Just wanted to follow up, and sorry that I fell of the face of the earth for a few days. I was wrapped up in another project. Anyway, your recommendation seems to be working correctly. It looks like the alert resets itself after the time range variable. So I have just made that as small as possible. Thanks again for the help.


(system) #8

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.