I know, we’re all lazy, and busy. Nobody wants to just stare at a dashboard all day like it’s the World Cup. That’s for management.
Let’s configure some proactive alerts to let us know when something needs our attention.
Create a Stream¶
In order to set up an alert, we need to first create a stream. Streams process incoming messages in real time based on conditions that you set. Click Streams.
Let’s create a stream for all incoming security/authentication error messages. Click Create Stream.
Type in a Title and Description.
Create a Stream Rule¶
Next, we are going to configure the stream to process our Syslog UDP input messages for any security alerts.
Hit the Manage Rules button.
Pick the Syslog UDP Input, and click Add stream rule.
Then, type in the values shown below and hit save.
Then click I’m done!
We have just configured this stream to process in real time all the messages that come in from the security/authorization facility.
Now let’s create the alert.
Create the Alert¶
You can now either output your new stream to a 3rd party application or database, or trigger an alert to ping you in real time when a message that matches our stream rule comes in. Let’s create an alert that will email us when there are more than 2 messages in the last 2 minutes.
Click Alerts in the navigation bar and then Manage conditions on the Alerts overview page.
In the Condition section, select the “Security/Auth Errors from Syslogs” stream and the “Message Count Alert Condition” from the Condition type menu.
Configure the rest based on my screenshot (input 2’s in every field). Then click Add alert condition.
Send a Test Email¶
On the Alerts overview page, click Manage notifications to setup an email notification.
Click Add new notification to create a email notification for the “Security/Auth Errors from Syslogs” stream.
Enter a title and your email address in the “E-Mail Receivers” section.
After adding the notification, hit the blue “Send test alert” button.
If you want to configure an SMTP server, you can refer to The graylog-ctl script.
If you want to make this stream active, just go back to Streams and where you see the stream name, click the green Start Stream button.
You are done - go grab a Creamsicle, take a deep breath, and chillax. Tomorrow you can configure all your own logs and alerts. To help, go and get some deep knowledge in the official documentation friendly people that will help and guide you can be found in our support community.
You can find more information on our Alerts page.