I have Snort dumping logs to Graylog, and currently alert on specific alerts with a field titled “snort_priority”. Essentially if snort_priority == 1, create an alert. This can be noisy sometimes, so I have to backlog some of the messages. The issue I’m running into is, is I thought Graylog would only backlog identical messages, but it appears it is also throwing messages into the backlog that are not associated with that alert at all. For ease of explanation, if i have an alert that says, alert on on any SMB traffic, and I have an instance where I have traffic from 192.168.1.1 -> 192.168.1.2, shortly there after, I have another instance where 192.168.2.1 -> 192.168.3.2, I would never see this alert because it is being backlogged into the first initial alert.
Do I need to create a separate stream for each event? Or am I approaching this in the wrong way?