Alerts and Events
  • 10 Aug 2022
  • 2 Minutes to read
  • Dark
    Light

Alerts and Events

  • Dark
    Light

Alerts and Events

As of Graylog 3.1.0, the Alerts page has changed to reflect a new method of generating Alerts. An Alert is triggered when a defined Event is detected. An Event is a condition that matches a log to a time period or aggregation. The Event may be used to group similar fields, change field content, or create new field content for use with Alerting and Correlation (an Enterprise feature.)

If no Events have been defined, the Alerts & Events page will display the “Get Started!” button as shown below.

alertsstartingpagenoevents.png

Defining an Event

When you click on the “Get Started!” button you will be presented with a set of dialogues that allow you to set Title, Description, and Priority. You may click back on the selection bar to step backward in the definition process at any time.

alertseventdetails.png

Priority

The Priority of an Event is a classification for user purpose. The priority of an event will be displayed as a thermometer icon in the overview and will be written into the notification.

Filter

By combining a Filter and an Aggregation you can specifically describe the criteria of an Event. Define a Filter by using Search Query in the same syntax as the Search page. Select a Stream in which the message can be found. Define the window of time that the Filter will search backward to match messages. The search will be executed at the given interval. If the Filter matches, an Event can be created. However, it may be useful to augment the filtered data with an aggregation!

alertsfilterdefinition.png

If the defined Filter matches messages currently within the Graylog Server, they will be displayed in the Filter Preview panel on the right.

Filter with Dynamic Lists (Enterprise feature)

Dynamic lists allow you to define a Filter where some of the search arguments are parameterized. Everytime an event defintion is being checked, these parameters are replaced with the result of a configured Lookup table. For example, you maintain a list of former employees in Active Directory or an HR system and want an alert if anyone on the list tries to log in. You can define a filter like Login from username:$former_employee$, where the parameter $former_employee$is backed by a lookup table, that returns a current list of your former employees.

Aggregation

An Aggregation can run a mathematical operation on either a numeric field value or the raw count of messages generated that match the Filter. Also, Aggregation can now group matches by a selected field before making the comparison. For instance, if the field username is defined, then it is possible to alert on five successive failed logins by a particular username. This use case is shown below.

alertsaggregationexample.png

Fields

Creating Custom Fields allows the Event to populate data from the original log into the Graylog Events index. This prevents the operator from having to run subsequent searches to get vital information. This can also be used to limit the amount of data sent to a Notification target. The Event will be recorded to the “All Events” stream and will contain the Custom Field, as well as the result of the Aggregation that triggered the Event.
alertscustomFielddisplay.png


Was this article helpful?