Logon and Logoff massage which are too close, makes problem writing and deleting data from lookup table

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
I created rule to write a sessionID from the message to the lookup table - this works great, then I created rule to delete sessionID from the lookup table based on message that indicates that the session ended, this works, but only if the messages are more than 3 seconds away from each other.

Example: I get Logon message with timestamp 2024-01-17 14:05:13.523 and I get Logoff message with timestamp 2024-01-17 14:05:13.529

  • and so the sessionID is written but not deleted. I think because messages are too close and when the Logoff message comes, the sessionID from Logon message is not written yet.

Is there a function or a way how to postpone logoff messages or some kind of delay?
I tried minutes(5) for example but it didn’t work

Any help will be appreciated, thank you very much

2. Describe your environment:

  • OS Information: Ubuntu 20.04.6 LTS

  • Package Version: Graylog 5.0.8

  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?
I tried to use function minutes(value) but didn’t help
I also tried to make it in two standalone pipelines(write and delete rule) but didn’t help

4. How can the community help?
I wil appreciate any tips on how to solve this.
Thank you very much

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

What’s the reason you are deleting them on log off, is it just to cleanup the database? If it is you can just set a TTL when you create it and it can clean itself up after some period of time.

I use the lookup table to store running user sessions, when the user logs off the session is deleted from lookup table, when a new logon message is created the session ID is written to the lookup table, then I have an event which checks logon and logoff messages and when there was not a logoff message created in 12h and sessionID is still in lookup table it creates notification that user did not logoff

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.