Graylog Alerts: Not correctly interpreting floating point number for threshold

Hello everyone. I hope you are using and enjoying Graylog as much as I do.

Context: I’m currently using Graylog v.4.0.15 and I’m trying to generate automatic alerts (with the graylog Alert module) when there are certain keywords that are starting to be repetitive within my systems. I’m sampling the keywords every 15min, and I’m analyzing them in a 24hour time window.

Context #2: My main concern is to gather insights about trends, i.e. if the keyword “bazarbackdoor” is mentioned at least 10 times and if its standard deviation is greater than 0.2, then the system should trigger an alert.

Problem: Graylog is not correctly interpretting or parsing the decimal values I use as input for the thresholds to trigger the alerts. And second, the evaluated values differ from what I’m seeing in the “Dashboard” section of Graylog, when searching for the same data in the same stream and during the same time windows of analysis (24hours ago)

Example (desired behavior):
a) “bazarbackdoor” - std_dev: 0.234 (alert)
b) “backdoor” - std_dev: 0.013 (not alert)
c) “mining” - std_dev: 0.908 (alert)
Threshold value: std_dev(hits) >= 0.2

Example (current behavior):
a) “bazarbackdoor” - std_dev: 0.0 (not alert)
b) “backdoor” - std_dev: 0.0 (not alert)
c) “mining” - std_dev: 0.5 (alert)
Threshold value: std_dev(hits) >= 0.2


Img 1: Current generated alerts

https://imgur.com/6ya9Ugc
Img 2: Current generated values in “Dashboards”, using same filters for “Alerts”

https://imgur.com/HuL2mjV
Img3: Current “Alerts” threshold criterias to trigger alerts

My Environment:

  • OS Information: Ubuntu 20.04.3 LTS
  • Package Version: v4.0.15
  • Service logs, configurations, and environment variables: Graylog is running with an Elasticsearch single node, in a VM

What have I done to “solve” this?
A simple workaround for this was to multiply my input values (intel_count) by 10 times, so they can be considered as “real” floating numbers, so Graylog could correctly understand the values and trigger the desired alerts with my desired thresholds (now as integer numbers).
Example (previous filters):
a) std_dev() >= 0.2

Example (workaround):
a) std_dev() >= 2

By doing this, the system behaves as expected. But I still think that with decimal values, the system should work as desired and not by manipulating the numbers.

So, my questions are:
a) Does anybody encountered something like this by using the Graylog Alerts module?
b) Is Graylog developers aware of this possible issue with floating numbers?
c) Is there a major release (i.e v4.1 or v4.2) that fixes this problem? So here we can update it to the fixed version and problem solved.

Cheers!

Hello && Welcome

I have not, also I haven’t used decimal point in my threshold.

Perhaps ask that question GitHub, you probably get a better response there.

Here are the change logs below , but I haven’t see anyone have a problem, but then again I haven’t seen a community members use floating numbers in a threshold.

https://docs.graylog.org/docs/changelog

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.