Help understanding Event Correlation

I’d like to setup correlation so alerts are sent only when 2 of 3 event definitions are fired in a given period which I though I could accomplish with “not occur” logic but not having much luck.

Example: Event occurrences (in order) in a 10 min period
EventA x1 , EventB x1, EventC x0

I thought;

  1. EventA + EventB (occur at least once logic)
    would be the same as
  2. EventA and not occur EventC followed by EventB

Number 1 fires but not number 2.

That “not occur” on its own can’t be used to end a correlated event makes me think I misunderstand what that means.

I’ve checked the server log but no errors are there related to this event.


Check this great video:

Thanks for the link but is there a video or example of correlation using “not occur” logic? All the ones I’ve seen are based off events that happen in order.

Would someone with a working correlation rule be kind enough to screenshot their rule order with a “not occur” so I can see where I’m going wrong?


Do these two screens reveal what’s wrong with my understanding of “not occur”?

It shows CRM Event with ActiveSync occuring before and after within 10 minutes but I still get the alert.

Graylog 3.2.4

As Bon Jovi says, “they say that no man is an island… unless you have a question re: Graylog” :wink:

I’m just keeping my Rsyslog server with 24 hour log retention running in Parallel with Graylog to use the power of SQL subqueries until I have more time to investigate.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.