Hey there. I have kind of a weird problem. Not quite sure if Graylog can even do this but thought i’d ask here.
Basically I have around 20 nginx webservers piping their access logs into graylog. I would like to setup an alert that fires when any of those individual webservers see requests to a certain file if it’s hit a certain number of times.
I have setup an alert that lets me know if a file has been hit stream wide > 100 times, which is working beautifully. However I’m not finding a way to make it per source.
This is kind of weird to explain so hopefully an example will help.
What it’s doing now:
somefile.php is hit > 100 times in the last 24 hours stream wide. Alert fires.
What I’d like it to do:
somefile.php is hit > 100 times on one host in the last 24 hours. Alert fires.
I know Graylog has some kind of functionality for this in dashboards, for example I can run my query looking for the particular file, then select “source” under the Search Result field, then click quick values. This breaks it down by source. But is there a way to translate this in to an alert?
My thinking is the only way to do this would be to make a separate stream per source, then put a separate alert per stream. Is this accurate or is there a better way?
Hopefully this all makes sense. If I can provide any other information please let me know. Appreciate you taking the time to read my post.