Highest log spamming source detection


In our environment we see that suddenly some sources are starting spam log messages due to a hardware or a software issue and it creates conjunction in the network, hence we need to identify the spammers immediately. Is there is any way to get an alert if a source started sending higher number of logs than usual using Graylog. I see that in sources tab listing the highest log senders but looking for a alert when such ever occurs. Any help on this appreciated. Thanks

That is possible with the new alerting in Graylog 3.1 and the correlation engine of the enterprise plugins.

Thanks Jan for looking into this, currently we are using Graylog v2.4.6 open source version. We can upgrade to 3.1 version, however do we have to purchase enterprise edition to avail the feature? Kindly clarify.

do we have to purchase enterprise edition to avail the feature?

when you ingest not more than 5GB per day - you can go with the free enterprise license. If you ingest more, you need to purchase.

Thanks you for confirming this.

I was going through the correlation engine demo videos, my understanding is that we need a log pattern to detect the log spamming. My question is , if suddenly a source started spamming some unknown logs , then the correlation engine can detect the spamming? if so kindly guide me how to configure it.

you might want to tune in:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.