Hi Nathan, 1 minute is a rather unfortunate time frame, given that alert_check_interval <https://github.com/Graylog2/graylog2-server/blob/2.1.1/misc/graylog.conf#L417-L419> is 60 seconds by default.
You should try increasing that time frame to 2 or 5 minutes in your alert conditions. Cheers, Jochen On Tuesday, 27 September 2016 15:56:31 UTC+2, Nathan Mace wrote: > > I'm sorry I didn't include a screenshot of this in the other message, but > there is an alert configured. See attached picture. > > Additionally, down at the bottom of the screen to configure alerts for the > stream, it lists 1 triggered alert from 6 days ago. Not sure why it worked > then, and doesn't work now....... > > Nathan > > On Tuesday, September 27, 2016 at 4:19:46 AM UTC-4, Dennis Oelkers wrote: >> >> Hey Nathan, >> >> so routing the message into the stream seems to work. The reason why you >> did not get an alert mail, is that you need to define an alert condition >> first. You do that by clicking “Manage Alerts” in the Streams page next to >> your stream and then follow the steps below “Add alert condition”. In your >> case it would probably be a “Message Count” condition, which matches when >> the number of messages in this stream in a certain time range exceeds a >> given threshold. >> >> Kr, >> D. >> >> > On 26.09.2016, at 15:51, Nathan Mace <[email protected]> wrote: >> > >> > Sorry for the delayed reply. I've attached screenshots of the Stream >> rules as well as part of a log entry that should match both of the rules in >> the stream (and is actually flagged as being routed into the stream). I >> also have verified that sending a test alert from the stream works >> successfully, so it doesn't appear to be an issue with Graylog talking to >> the mail server. Any help or ideas would be appreciated. If there is >> additional info I can provide, please let me know. Thanks. >> > >> > Nathan >> > >> > On Thursday, September 22, 2016 at 3:46:07 AM UTC-4, Jochen Schalanda >> wrote: >> > Hi, >> > >> > what's the exact alert condition you're using? >> > >> > Kindly include some example messages, too. >> > >> > Cheers, >> > Jochen >> > >> > On Wednesday, 21 September 2016 18:29:00 UTC+2, Nathan Mace wrote: >> > Recently upgraded to 2.1 and just noticed this behavior. >> > >> > I have a stream that matches against two rules: >> > >> > EventID = 4625 >> > AND >> > TargetUserName NOT EXACTLY "XXXXXX" >> > >> > If a log matches both of those, send an email. The emails are not >> being sent. Looking into it, if I force a failed login attempt it >> generates a message that should match the stream. I go manually find the >> message and in the details off to the side it does say it was routed into >> the stream. Additionally, if I copy the message ID and load it into the >> stream it gives two green lines and says it should match. Also, I can >> click on the title of the stream that takes me to the search screen with >> the rules of the stream applied, and the message shows up there as well. I >> tried deleting and re-creating the stream, that did not help either. >> > >> > Sending a test email from the stream is successful. >> > >> > Any ideas? These are Windows event logs, but I don't think that >> matters. Thanks. >> > >> > Nathan >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "Graylog Users" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/graylog2/2818072c-9fb7-401a-8d46-01652b5e082d%40googlegroups.com. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> > <Graylog_Web_Interface.png><Graylog_Web_Interface_1.png> >> >> -- >> Tel.: +49 (0)40 609 452 077 >> Fax.: +49 (0)40 609 452 078 >> >> TORCH GmbH - A Graylog company >> Poolstrasse 21 >> 20355 Hamburg >> Germany >> >> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 >> Geschäftsführer: Lennart Koopmann (CEO) >> >> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/f5be2840-348e-424b-94e4-550fa1f8f530%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
