Hello everyone. I hope you are using and enjoying Graylog as much as I do.
Context: I’m currently using Graylog v.4.0.15 and I’m trying to generate automatic alerts (with the graylog Alert module) when there are certain keywords that are starting to be repetitive within my systems. I’m sampling the keywords every 15min, and I’m analyzing them in a 24hour time window.
Context #2: My main concern is to gather insights about trends, i.e. if the keyword “bazarbackdoor” is mentioned at least 10 times and if its standard deviation is greater than 0.2, then the system should trigger an alert.
Problem: Graylog is not correctly interpretting or parsing the decimal values I use as input for the thresholds to trigger the alerts. And second, the evaluated values differ from what I’m seeing in the “Dashboard” section of Graylog, when searching for the same data in the same stream and during the same time windows of analysis (24hours ago)
Example (desired behavior):
a) “bazarbackdoor” - std_dev: 0.234 (alert)
b) “backdoor” - std_dev: 0.013 (not alert)
c) “mining” - std_dev: 0.908 (alert)
Threshold value: std_dev(hits) >= 0.2
Example (current behavior):
a) “bazarbackdoor” - std_dev: 0.0 (not alert)
b) “backdoor” - std_dev: 0.0 (not alert)
c) “mining” - std_dev: 0.5 (alert)
Threshold value: std_dev(hits) >= 0.2
Img 1: Current generated alerts
https://imgur.com/6ya9Ugc
Img 2: Current generated values in “Dashboards”, using same filters for “Alerts”
https://imgur.com/HuL2mjV
Img3: Current “Alerts” threshold criterias to trigger alerts
My Environment:
- OS Information: Ubuntu 20.04.3 LTS
- Package Version: v4.0.15
- Service logs, configurations, and environment variables: Graylog is running with an Elasticsearch single node, in a VM
What have I done to “solve” this?
A simple workaround for this was to multiply my input values (intel_count) by 10 times, so they can be considered as “real” floating numbers, so Graylog could correctly understand the values and trigger the desired alerts with my desired thresholds (now as integer numbers).
Example (previous filters):
a) std_dev() >= 0.2
Example (workaround):
a) std_dev() >= 2
By doing this, the system behaves as expected. But I still think that with decimal values, the system should work as desired and not by manipulating the numbers.
So, my questions are:
a) Does anybody encountered something like this by using the Graylog Alerts module?
b) Is Graylog developers aware of this possible issue with floating numbers?
c) Is there a major release (i.e v4.1 or v4.2) that fixes this problem? So here we can update it to the fixed version and problem solved.
Cheers!