See all logs outside business hours

Graylog Central (peer support)
1

Hi everybody,

how can i see all logs outside business hours?

Thanks. :raised_hand_with_fingers_splayed: :raised_hand_with_fingers_splayed:

2
  1. If you want to filter only one day, you can use Time frame selector and choose Absolute and setup specific time frame.
    Time frame selector — Graylog 4.0.0 documentation
  2. If you want to filter all messages try to use this pipeline rule as example, to setup new field out_of_hours, and update to your real timezone and required business hours. Then you can use this field for search for messages outside business hours. If will only work for new messages after you deploy pipeline rule.
rule "out_of_hours"
when
  to_long(now("Europe/London").hourOfDay) >= 0 AND
  to_long(now("Europe/London").hourOfDay) < 7
then
  set_field("out_of_hours", true);
  //debug("out_of_hours");
end
2 Likes
3

I have created a rule in the same way (without change). But it does not work. Can you please tell me where I went wrong

rule “off work hours”
when
( to_long(to_date($message.timestamp, “Europe/Berlin”).hourOfDay) >= 0 AND to_long(to_date($message.timestamp, “Europe/Berlin”).hourOfDay) <= 6 ) OR
( to_long(to_date($message.timestamp, “Europe/Berlin”).hourOfDay) >= 18 AND to_long(to_date($message.timestamp, “Europe/Berlin”).hourOfDay) <= 0 )
then
set_field(“out_of_hours”, true);
end

rule “off work weekend”
when
// from Monday (1) to Sunday (7)
to_long(to_date($message.timestamp, “Europe/Berlin”).dayOfWeek) == 7 OR
to_long(to_date($message.timestamp, “Europe/Berlin”).dayOfWeek) == 6
then
set_field(“out_of_hours”, true);
end

4

No you don’t use it same way. You’ve used to_date instead of now pipeline function. There is a bug in graylog’s function to_date which doesn’t support timezone parameter, or ignore it, and always use UTC.

Also your condition will not match, replace it to 23 instead of 0
to_long(to_date($message.timestamp, “Europe/Berlin”).hourOfDay) <= 0

Please post, what’s wrong with your pipeline rule and your conditions.

5

I have prepared everything like this. You can see the screenshots as an attachment

rule
rule1920×701 105 KB
time

6

You can’t paste 2 rules into pipeline body of rule, please separate it into two pipeline rules. One with rule “off work hours” and one for “off work weekend”.

7

otherwise everything is correct?

8

As I post, you used function to_date with timezone parameter which is ignored. Either use UTC times in condition >=, <=, == or use function now as i suggested with timezone.

Best way to debug functions is to use simple condition when true or similar, and use debug:

rule "debug_hourOfDay"
when
  true
then
  debug(concat("hourOfDay: ", to_string(now("Europe/Berlin").hourOfDay));
  debug(concat("dayOfWeek: ", to_string(now("Europe/Berlin").dayOfWeek));
end

Then check graylog logs file and search for line hourOfDay and dayOfWeek:
sudo tail -f /var/log/graylog-server/server.log

1 Like
9

Thank you, this is now working properly.
:raised_hand_with_fingers_splayed: :relaxed:

10

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.