Problem with backlog in aggregated event

Hello,
I’ve create an aggregation event to check the number of BIND commands of a user to an LDAP server. If the user exceed 10 binds per minute graylog will raise an alert.
I’ve create a pipeline to extract the username (ldap_dn) of the user, the operation (ldap_operation) and the method (ldap_method). These fields are create correctly in the message.
The alert is fired correctly, but the messages included in the backlog aren’t. Several messages regarding another usernames appear in the middle.

I’m using Graylog 3.3.0 over CentOS 7 (with Graylog 3.2.4 I’ve the same problem)

The format of the messages is this:

conn=289188 op=0 BIND dn=“uid=user,dc=domain,dc=com” method=128

The event definition is:

Condition Type: Filter & Aggregation
Search Query: ldap_operation:BIND AND exists:ldap_method
Search within the last: 1 minute
Execute search every: 10 seconds

Aggregation
Group by field(s): ldap_dn
Condition: count(ldap_dn) >= 10

Notification
Grace Period: 10 minutes
Message backlog: 10

If I try 10 times to bind with user1, the alert is fired but in the backlog appears messages related to user2. For example:

conn=289188 op=0 BIND dn=“uid=user1,dc=domain,dc=com” method=128
conn=289189 op=0 BIND dn=“uid=user1,dc=domain,dc=com” method=128
conn=289190 op=0 BIND dn=“uid=user2,dc=domain,dc=com” method=128
conn=289191 op=0 BIND dn=“uid=user2,dc=domain,dc=com” method=128
conn=289192 op=0 BIND dn=“uid=user1,dc=domain,dc=com” method=128
conn=289193 op=0 BIND dn=“uid=user1,dc=domain,dc=com” method=128
conn=289194 op=0 BIND dn=“uid=user1,dc=domain,dc=com” method=128
conn=289195 op=0 BIND dn=“uid=user2,dc=domain,dc=com” method=128
conn=289196 op=0 BIND dn=“uid=user1,dc=domain,dc=com” method=128
conn=289197 op=0 BIND dn=“uid=user1,dc=domain,dc=com” method=128

It seems than the field “ldap_dn” (grouped by) is ignored to extract the backlog messages.
Is the definition of the event and notification correct?

Thank you

he @AngelTG

do you mind describing this in a bug report over at:

This might get re-branded as feature request as I do not know if the grouped by is actually though to be happen on the backlog messages.

Ok. I’ve just open a bug report at GitHub. The url is https://github.com/Graylog2/graylog2-server/issues/8265

Thank you

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.