Properly setting up an alert

Hey there. I have kind of a weird problem. Not quite sure if Graylog can even do this but thought i’d ask here.

Basically I have around 20 nginx webservers piping their access logs into graylog. I would like to setup an alert that fires when any of those individual webservers see requests to a certain file if it’s hit a certain number of times.

I have setup an alert that lets me know if a file has been hit stream wide > 100 times, which is working beautifully. However I’m not finding a way to make it per source.

This is kind of weird to explain so hopefully an example will help.

What it’s doing now:
somefile.php is hit > 100 times in the last 24 hours stream wide. Alert fires.

What I’d like it to do:
somefile.php is hit > 100 times on one host in the last 24 hours. Alert fires.

I know Graylog has some kind of functionality for this in dashboards, for example I can run my query looking for the particular file, then select “source” under the Search Result field, then click quick values. This breaks it down by source. But is there a way to translate this in to an alert?

My thinking is the only way to do this would be to make a separate stream per source, then put a separate alert per stream. Is this accurate or is there a better way?

Hopefully this all makes sense. If I can provide any other information please let me know. Appreciate you taking the time to read my post.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.