Pipeline rules help


Hi !

We use Opentext to store all our internal documentation. This Opentext is installed over IIS. We already collect IIS logs in Graylog and apply few basic rules.

We would like to trigger an alert when a user has done more than 10 of an action in the last 30 minutes.
(Like if an ip (field “c-ip”) has 10 (" objAction" “edit”) in a stream in the last 30 minutes.

I have used a stream selecting only the messages with the field “objAction=Edit” and a I have tried to do a rule source in a pipeline to count.

My idea is this one: if we receive a message, we get the ip of the message and we count all the messages containing this IP in the last 30 minutes (the stream only contains the last 30 minutes messages already).

In the “exemples” on the right telling you all the commands you can do while writting a rule, I can’t found anything to count a string in the stream.

I’m starting and if someone have an answer, or tips on how to manage variables or a link to all the commands of the language (not sure what is used cause the documentation http://docs.graylog.org/en/2.4/pages/pipelines/rules.html#conditions says absolutely nothing about the langage used and what commands exists :’( ), it will help me a lot :slight_smile:

Thanks so much and I wish you a lovely day!

(Jan Doberstein) #2

How did your messages look like? Did you already have all information cut into separate fields? Is this all about how you would be able to alert on this?

It is not that easy with the current stable release but will be more with 3.0.

(system) #3

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.