Hi, what's the exact alert condition you're using?
Kindly include some example messages, too. Cheers, Jochen On Wednesday, 21 September 2016 18:29:00 UTC+2, Nathan Mace wrote: > > Recently upgraded to 2.1 and just noticed this behavior. > > I have a stream that matches against two rules: > > EventID = 4625 > AND > TargetUserName NOT EXACTLY "XXXXXX" > > If a log matches both of those, send an email. The emails are not being > sent. Looking into it, if I force a failed login attempt it generates a > message that should match the stream. I go manually find the message and > in the details off to the side it does say it was routed into the stream. > Additionally, if I copy the message ID and load it into the stream it > gives two green lines and says it should match. Also, I can click on the > title of the stream that takes me to the search screen with the rules of > the stream applied, and the message shows up there as well. I tried > deleting and re-creating the stream, that did not help either. > > Sending a test email from the stream is successful. > > Any ideas? These are Windows event logs, but I don't think that matters. > Thanks. > > Nathan > -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to graylog2+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/b508a65d-1c0d-4848-b65b-bd24a040d8ff%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.