How Graylog set alert field value to true or false

Ganeshbabu · September 13, 2019, 10:02am

Hi All,

We are using Graylog 3.1.1 with Elasticsearch 6.8.1 & Mongo 3.6.14. I am trying to setup alerts based on the event condition.

I am receiving IIS logs to graylog and I am setting iis_Access_Responsecode:>=500 in event filter condition with aggregation group by field as iis_Access_SiteName and if my events count is > than 5 alerts will be triggered.

Yes I am able to see alerts triggered based on the event definition and messages are recorded to the “All Events” stream. But in the all events stream I am getting two types of messages and the field “alert” has two values,

alert=false
alert=true

Below is the sample message with alert= false

    "_source" : {
      "id" : "01DMFWQERB48FSDMVZTNSYD",
      "event_definition_type" : "aggregation-v1",
      "event_definition_id" : "5d76470a026d94693",
      "origin_context" : null,
      "timestamp" : "2019-09-11 10:08:14.276",
      "timestamp_processing" : "2019-09-11 10:08:28.427",
      "timerange_start" : "2019-09-11 10:03:22.453",
      "timerange_end" : "2019-09-11 10:08:22.452",
      "streams" : [
        "000000000000000000000002"
      ],
      "source_streams" : [
        "5d76240b945248b2f"
      ],
      "message" : "500_ErrorCodes: abc.graylog.com- count()=12.0",
      "source" : "graylog3-helm-0.graylog3-helm-svc.cluster.local",
      "key_tuple" : [ ],
      "key" : "",
      "priority" : 2,
      "alert" : false,
      "fields" : { }
    }

Below is the sample message with alert=true

    "_source" : {
      "id" : "01DMFN7WGAEB3TXTPRK",
      "event_definition_type" : "aggregation-v1",
      "event_definition_id" : "5d76470a026d94693",
      "origin_context" : null,
      "timestamp" : "2019-09-11 07:55:33.233",
      "timestamp_processing" : "2019-09-11 07:57:38.243",
      "timerange_start" : "2019-09-11 07:52:22.452",
      "timerange_end" : "2019-09-11 07:57:22.451",
      "streams" : [
        "000000000000000000000002"
      ],
      "source_streams" : [
        "5d76240b945248b2f"
      ],
      "message" : "500_ErrorCodes: def.graylog.com - count()=14.0",
      "source" : "graylog3-helm-0.graylog3-helm.svc.cluster.local",
      "key_tuple" : [ ],
      "key" : "",
      "priority" : 2,
      "alert" : true,
      "fields" : { }
    }

I am not able to understand how the graylog sets the value of alert field to true or false

I didn’t find much information on the alerts documentation

Kindly share your thoughts and help us to understand the alerts concept.

Regards,
Ganeshbabu R

Ganeshbabu · September 16, 2019, 6:39am

If we add the notification in the event definition then alert field value set as “True” in the message.

system · September 30, 2019, 6:39am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
GrayLog Alert by Custom Field Graylog Central (peer support)	4	2186	February 5, 2021
Field Content Alert Conditions Not Triggering Graylog Central (peer support)	6	1654	February 27, 2019
Alert Condition Question Graylog Central (peer support)	1	334	November 28, 2018
Graylog 6.0 Triggering alerts when conditions not met Graylog Central (peer support) alert	5	70	October 11, 2024
Alert if no logs Graylog Central (peer support)	3	3179	March 11, 2020

How Graylog set alert field value to true or false

Related topics