Graylog Alerts from AWS CloudTrail logs

trbiggs · October 13, 2017, 8:29pm

I have Graylog setup to parse logs it receives from CloudTrail. This seems to work fine. I’d like to configure Graylog alerts for some CloudTrail events. However, the Graylog alert I created as a test does not seem to trigger.

I’ve setup a Field Content Alert Condition with Field=event_name, Value=CreateUser, Grace Period=1, and Message Backlog=1. Even when I create a user in my AWS account I don’t see an alert from Graylog. I can see the message coming into the stream just fine. Has anyone configured Graylog to alert from CloudTrail before?

I don’t know if this is relevant but it can sometimes take ~15 minutes from the time an event is initiated to the time a log entry appears in CloudTrail. I don’t know if this has a bearing on the alert generation from Graylog. It doesn’t seem like it should.

I’m using Graylog 2.2.3+7adc951. Any advice is greatly appreciated. Thanks.

Edit: From this post, https://github.com/Graylog2/graylog2-server/issues/3881, it appears the delay in CloudTrail could be a problem. For example, if I create a user at 10:50am in AWS, the CloudTrail log for that event may not show up until 11:05am but that event will contain the correct time the user was created, 10:50am. If events for alerts are processed every minute, could this be missed?

jan · October 15, 2017, 10:49am

Hej @trbiggs

Alerting in Graylog is a search. If you set the period to 1 this search will be done in the last minute.

If the entry you are looking comes in late, you would need to define a bigger window to include those late ingestions.

trbiggs · October 16, 2017, 2:59pm

Do you happen to know how to set the search period? In the Condition, I see Grace Period which is described as Number of minutes to wait after an alert is resolved, to trigger another alert and Message Backlog which is described as The number of messages to be included in alert notifications. I don’t see a way to set the search period.

trbiggs · October 20, 2017, 3:44pm

If anyone else encounters this problem, I eventually got this to work. I had to use the Message Count Alert Condition. This has a Time Range parameter which I set to 30. Unfortunately, a Field Content Alert Condition doesn’t have a Time Range parameter. Because you’re looking for a message count, you have to setup a separate stream specifically for the messages you want to monitor. This can lead to a little bit of “stream sprawl” but I don’t see any other alternative. This can be avoid with a Time Range parameter in the Field Content Alert Condition.

jan · October 21, 2017, 4:23am

you might want to open a feature request for that …

For the check interval you can look at this setting:

github.com

Graylog2/graylog2-server/blob/2.3/misc/graylog.conf#L450-L452


# Length of the interval in seconds in which the alert conditions for all streams should be checked
# and alarms are being sent.
#alert_check_interval = 60

system · November 4, 2017, 4:23am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Alert or Aggregates plugin searches for every 15 min only Graylog Central (peer support)	1	466	July 25, 2018
Duplicate Events with AWS plugin Graylog Central (peer support)	7	545	October 2, 2019
[SOLVED] Event notifications not sending aggregated logs Graylog Central (peer support)	3	890	December 2, 2022
Graylog alerting per unique message Graylog Central (peer support) pipeline-rules , route-to-streampl	3	821	November 1, 2017
Alert condition 0 messages in 60 minutes is triggering when there are messages Graylog Central (peer support)	7	782	August 19, 2021

Graylog Alerts from AWS CloudTrail logs

Related Topics