"Stateful" alerts -- AKA alerting when a log message changes from a previous state

boogity · December 13, 2022, 7:49pm

1. Describe your incident:
Is there some way to generate an alert when a log message is different from the last time that same log message appeared? Essentially, I have the following log message:

10/05/22 00:10:56 /reader/antenna/connectedPortList: 1 2 3 4

The final 4 numbers on this log message change depending on whether or not RF antennae are connected to this device. I want to generate an alert when that value changes. I already have an alert set up so that if the values are not ‘1 2 3 4’ we get an alert. But I’d like to get just one alert when it changes (e.g. to 1 2 4), not an alert every single time it reports that ‘1 2 4’ value. Is this possible?

2. Describe your environment:

CentOS 7
Graylog 4.2.13

3. What steps have you already taken to try and solve the problem?
I know there are variables stored from the message backlog, reviewing the variable listing there, I don’t see anything suggesting there’s some means of storing custom variables for use with an alert later.

If this were a script or something, it seems like I would store this value in a variable, alert if that variable changes, then store the newly changed value into the variable, repeat. Is there any way to do this? Or something that will get me to the right end result? That is, only a single alert when that log message has a different set of numbers in the connectedPortList than the previous time it was seen.

gsmith · December 13, 2022, 11:34pm

Hey,

A while back some other
member was trying to do the same thing, when the “IP address changes”
They either used pipeline and route to stream then send alert.

Or

perhaps Event Correlation but that would require a license, unless your under 2 GB a day it should be free.

boogity · December 20, 2022, 3:19pm

Ah well, this looks prohibitively expensive to figure out. We sometimes exceed 2GB/day (maybe 1-2x/month) so I’d hate to transition to enterprise and lose logs every now and then.

I think I’ll stick with my current log alerts for the time being, there’s lower hanging fruit out there. Thanks!

ihe · December 20, 2022, 4:18pm

even though event correlation is nice, I would not know how to use it for this purpose.

If I understand you right, you sometimes have the string " 1 2 3 4", and sometimes " 1 2 4" or similar. Is that right?
My suggestion would be to put that string into a single field via parsing. If the cardinality, the amount of different values, increases to two you can trigger an alert.

system · January 3, 2023, 4:18pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.