I bumped it up to 2 minutes, but it didn't make any difference. I created a new steam with just one rule (must match EventID 4625). It has the same alert conditions as the original, with a 2 minute time frame. It doesn't send an email either, although it also shows up with the first stream as having a message routed into it.
What is the next thing I need to check? Nathan On Tuesday, September 27, 2016 at 10:23:49 AM UTC-4, Jochen Schalanda wrote: > > Hi Nathan, > > 1 minute is a rather unfortunate time frame, given that > alert_check_interval > <https://github.com/Graylog2/graylog2-server/blob/2.1.1/misc/graylog.conf#L417-L419> > > is 60 seconds by default. > > You should try increasing that time frame to 2 or 5 minutes in your alert > conditions. > > Cheers, > Jochen > > On Tuesday, 27 September 2016 15:56:31 UTC+2, Nathan Mace wrote: >> >> I'm sorry I didn't include a screenshot of this in the other message, but >> there is an alert configured. See attached picture. >> >> Additionally, down at the bottom of the screen to configure alerts for >> the stream, it lists 1 triggered alert from 6 days ago. Not sure why it >> worked then, and doesn't work now....... >> >> Nathan >> >> On Tuesday, September 27, 2016 at 4:19:46 AM UTC-4, Dennis Oelkers wrote: >>> >>> Hey Nathan, >>> >>> so routing the message into the stream seems to work. The reason why you >>> did not get an alert mail, is that you need to define an alert condition >>> first. You do that by clicking “Manage Alerts” in the Streams page next to >>> your stream and then follow the steps below “Add alert condition”. In your >>> case it would probably be a “Message Count” condition, which matches when >>> the number of messages in this stream in a certain time range exceeds a >>> given threshold. >>> >>> Kr, >>> D. >>> >>> > On 26.09.2016, at 15:51, Nathan Mace <[email protected]> wrote: >>> > >>> > Sorry for the delayed reply. I've attached screenshots of the Stream >>> rules as well as part of a log entry that should match both of the rules in >>> the stream (and is actually flagged as being routed into the stream). I >>> also have verified that sending a test alert from the stream works >>> successfully, so it doesn't appear to be an issue with Graylog talking to >>> the mail server. Any help or ideas would be appreciated. If there is >>> additional info I can provide, please let me know. Thanks. >>> > >>> > Nathan >>> > >>> > On Thursday, September 22, 2016 at 3:46:07 AM UTC-4, Jochen Schalanda >>> wrote: >>> > Hi, >>> > >>> > what's the exact alert condition you're using? >>> > >>> > Kindly include some example messages, too. >>> > >>> > Cheers, >>> > Jochen >>> > >>> > On Wednesday, 21 September 2016 18:29:00 UTC+2, Nathan Mace wrote: >>> > Recently upgraded to 2.1 and just noticed this behavior. >>> > >>> > I have a stream that matches against two rules: >>> > >>> > EventID = 4625 >>> > AND >>> > TargetUserName NOT EXACTLY "XXXXXX" >>> > >>> > If a log matches both of those, send an email. The emails are not >>> being sent. Looking into it, if I force a failed login attempt it >>> generates a message that should match the stream. I go manually find the >>> message and in the details off to the side it does say it was routed into >>> the stream. Additionally, if I copy the message ID and load it into the >>> stream it gives two green lines and says it should match. Also, I can >>> click on the title of the stream that takes me to the search screen with >>> the rules of the stream applied, and the message shows up there as well. I >>> tried deleting and re-creating the stream, that did not help either. >>> > >>> > Sending a test email from the stream is successful. >>> > >>> > Any ideas? These are Windows event logs, but I don't think that >>> matters. Thanks. >>> > >>> > Nathan >>> > >>> > -- >>> > You received this message because you are subscribed to the Google >>> Groups "Graylog Users" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> > To view this discussion on the web visit >>> https://groups.google.com/d/msgid/graylog2/2818072c-9fb7-401a-8d46-01652b5e082d%40googlegroups.com. >>> >>> >>> > For more options, visit https://groups.google.com/d/optout. >>> > <Graylog_Web_Interface.png><Graylog_Web_Interface_1.png> >>> >>> -- >>> Tel.: +49 (0)40 609 452 077 >>> Fax.: +49 (0)40 609 452 078 >>> >>> TORCH GmbH - A Graylog company >>> Poolstrasse 21 >>> 20355 Hamburg >>> Germany >>> >>> Commercial Reg. (Registergericht): Amtsgericht Hamburg, HRB 125175 >>> Geschäftsführer: Lennart Koopmann (CEO) >>> >>> -- You received this message because you are subscribed to the Google Groups "Graylog Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/graylog2/ff83d015-2918-4ac5-b70d-822c9a9662ec%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
