I know, we’re all lazy, and busy. Nobody wants to just stare at a dashboard all day like it’s the World Cup. That’s for management.
Let’s configure some proactive alerts to let us know when something needs our attention.
Create a Stream¶
In order to set up an alert, we need to first create a stream. Streams process incoming messages in real time based on conditions that you set. Click Streams.
Let’s create a stream for all incoming security/authentication error messages. Click Create Stream.
Type in a Title and Description.
Create a Stream Rule¶
Next, we are going to configure the stream to process our Syslog UDP input messages for any security alerts.
Hit the Manage Rules button.
Pick the Syslog UDP Input and click the Add stream rule button.
Next, type in the values shown below and click the Save button.
Finally, click the I’m done button!
We have just configured this stream to process in real time all the messages that come in from the
Now let’s create the alert.
Create the Alert¶
You can now either output your new stream to a 3rd party application or database, or trigger an alert to ping you in real time when a message that matches our stream rule comes in. Let’s create an alert that will email us when there are more than 2 messages in the last 2 minutes.
Click Alerts in the navigation bar and then Manage conditions on the Alerts overview page.
In the Condition section, select the “Security/Auth Errors from Syslogs” stream and the “Message Count Alert Condition” from the Condition type menu, and then click the Add alert condition button.
Configure the rest based on my screenshot (input 2’s in every field) and then click the Save button.
Send a Test Email¶
On the Alerts overview page, click Manage notifications to setup an email notification.
Click Add new notification to create a email notification for the “Security/Auth Errors from Syslogs” stream.
Enter a title and your email address in the “E-Mail Receivers” section.
After adding the notification, hit the blue Test button to send a test alert.
If you want to configure an SMTP server, you can refer to The graylog-ctl script.
If you want to make this stream active, just go back to the Streams page and click its green Start Stream button.
You can learn more about alerting on our Alerts page.
You’re done with the Getting Started guide! Go grab a Creamsicle, take a deep breath, and chillax. Tomorrow you can configure all your own logs and alerts.