Hey Nathan,
so routing the message into the stream seems to work. The reason why you did
not get an alert mail, is that you need to define an alert condition first. You
do that by clicking “Manage Alerts” in the Streams page next to your stream and
then follow the steps below “Add alert condition”. In your case it would
probably be a “Message Count” condition, which matches when the number of
messages in this stream in a certain time range exceeds a given threshold.
Kr,
D.
> On 26.09.2016, at 15:51, Nathan Mace <[email protected]> wrote:
>
> Sorry for the delayed reply. I've attached screenshots of the Stream rules
> as well as part of a log entry that should match both of the rules in the
> stream (and is actually flagged as being routed into the stream). I also
> have verified that sending a test alert from the stream works successfully,
> so it doesn't appear to be an issue with Graylog talking to the mail server.
> Any help or ideas would be appreciated. If there is additional info I can
> provide, please let me know. Thanks.
>
> Nathan
>
> On Thursday, September 22, 2016 at 3:46:07 AM UTC-4, Jochen Schalanda wrote:
> Hi,
>
> what's the exact alert condition you're using?
>
> Kindly include some example messages, too.
>
> Cheers,
> Jochen
>
> On Wednesday, 21 September 2016 18:29:00 UTC+2, Nathan Mace wrote:
> Recently upgraded to 2.1 and just noticed this behavior.
>
> I have a stream that matches against two rules:
>
> EventID = 4625
> AND
> TargetUserName NOT EXACTLY "XXXXXX"
>
> If a log matches both of those, send an email. The emails are not being
> sent. Looking into it, if I force a failed login attempt it generates a
> message that should match the stream. I go manually find the message and in
> the details off to the side it does say it was routed into the stream.
> Additionally, if I copy the message ID and load it into the stream it gives
> two green lines and says it should match. Also, I can click on the title of
> the stream that takes me to the search screen with the rules of the stream
> applied, and the message shows up there as well. I tried deleting and
> re-creating the stream, that did not help either.
>
> Sending a test email from the stream is successful.
>
> Any ideas? These are Windows event logs, but I don't think that matters.
> Thanks.
>
> Nathan
>
> --
> You received this message because you are subscribed to the Google Groups
> "Graylog Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/graylog2/2818072c-9fb7-401a-8d46-01652b5e082d%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
> <Graylog_Web_Interface.png><Graylog_Web_Interface_1.png>
--
Tel.: +49 (0)40 609 452 077
Fax.: +49 (0)40 609 452 078
TORCH GmbH - A Graylog company
Poolstrasse 21
20355 Hamburg
Germany
Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175
Geschäftsführer: Lennart Koopmann (CEO)
--
You received this message because you are subscribed to the Google Groups
"Graylog Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/graylog2/893348B0-AE88-4285-B71F-7C5055203BCC%40graylog.com.
For more options, visit https://groups.google.com/d/optout.
