I’d like to setup correlation so alerts are sent only when 2 of 3 event definitions are fired in a given period which I though I could accomplish with “not occur” logic but not having much luck.
Example: Event occurrences (in order) in a 10 min period
EventA x1 , EventB x1, EventC x0
I thought;
EventA + EventB (occur at least once logic)
would be the same as
EventA and not occur EventC followed by EventB
Number 1 fires but not number 2.
That “not occur” on its own can’t be used to end a correlated event makes me think I misunderstand what that means.
I’ve checked the server log but no errors are there related to this event.
Thanks for the link but is there a video or example of correlation using “not occur” logic? All the ones I’ve seen are based off events that happen in order.
Would someone with a working correlation rule be kind enough to screenshot their rule order with a “not occur” so I can see where I’m going wrong?
As Bon Jovi says, “they say that no man is an island… unless you have a question re: Graylog”
I’m just keeping my Rsyslog server with 24 hour log retention running in Parallel with Graylog to use the power of SQL subqueries until I have more time to investigate.
