Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple identical alert logs #41

Open
frantz45 opened this issue Dec 22, 2022 · 1 comment
Open

Multiple identical alert logs #41

frantz45 opened this issue Dec 22, 2022 · 1 comment

Comments

@frantz45
Copy link
Collaborator

frantz45 commented Dec 22, 2022
edited
Loading

One alert log is generated for each backlog log.
It should only generate multiples logs if there are different field's values in the backlog (for example multiple source IP addresses).

For example:

2022-12-22T11:03:30.841+01:00 INFO  [LoggingAlert] alert_id: 01GF0WERGYVBRRYSGYNM4DWK67-1056867426 | alert_title: rule1 | alert_description:  | severity: medium | create_time: 2022-12-22T10:03:30.602Z | detect_time: 2022-12-22T09:53:25.146Z | analyzer: graylog | sensor: host1 | source_command:  | source_file_name:  | source_host_name:  | source_ip_address:  | source_mac_address:  | source_port:  | source_process:  | source_tool:  | source_url:  | source_user_name:  | target_command:  | target_file_name:  | target_host_name: host1 | target_ip_address:  | target_mac_address:  | target_port:  | target_process:  | target_tool:  | target_url:  | target_user_name: root | file_name:  | file_hash:  | alert_url: https://fqdn/alerts | messages_url: /search?rangetype=absolute&from=2022-12-22T09%3A53%3A25.146Z&to=2022-12-22T10%3A04%3A30.616Z&streams=63189ffd28af5049e6eef5a8%2C63189ffd28af5049e6eef5cd&q=source%3A"host1" | custom:  | drilldown: P30M
2022-12-22T11:03:30.841+01:00 INFO  [LoggingAlert] alert_id: 01GF0WERGYVBRRYSGYNM4DWK67-1056867426 | alert_title: rule1 | alert_description:  | severity: medium | create_time: 2022-12-22T10:03:30.602Z | detect_time: 2022-12-22T09:53:25.146Z | analyzer: graylog | sensor: host1 | source_command:  | source_file_name:  | source_host_name:  | source_ip_address:  | source_mac_address:  | source_port:  | source_process:  | source_tool:  | source_url:  | source_user_name:  | target_command:  | target_file_name:  | target_host_name: host1 | target_ip_address:  | target_mac_address:  | target_port:  | target_process:  | target_tool:  | target_url:  | target_user_name: root | file_name:  | file_hash:  | alert_url: https://fqdn/alerts | messages_url: /search?rangetype=absolute&from=2022-12-22T09%3A53%3A25.146Z&to=2022-12-22T10%3A04%3A30.616Z&streams=63189ffd28af5049e6eef5a8%2C63189ffd28af5049e6eef5cd&q=source%3A"host1" | custom:  | drilldown: P30M
2022-12-22T11:03:30.841+01:00 INFO  [LoggingAlert] alert_id: 01GF0WERGYVBRRYSGYNM4DWK67-1056867426 | alert_title: rule1 | alert_description:  | severity: medium | create_time: 2022-12-22T10:03:30.602Z | detect_time: 2022-12-22T09:53:25.146Z | analyzer: graylog | sensor: host1 | source_command:  | source_file_name:  | source_host_name:  | source_ip_address:  | source_mac_address:  | source_port:  | source_process:  | source_tool:  | source_url:  | source_user_name:  | target_command:  | target_file_name:  | target_host_name: host1 | target_ip_address:  | target_mac_address:  | target_port:  | target_process:  | target_tool:  | target_url:  | target_user_name: root | file_name:  | file_hash:  | alert_url: https://fqdn/alerts | messages_url: /search?rangetype=absolute&from=2022-12-22T09%3A53%3A25.146Z&to=2022-12-22T10%3A04%3A30.616Z&streams=63189ffd28af5049e6eef5a8%2C63189ffd28af5049e6eef5cd&q=source%3A"host1" | custom:  | drilldown: P30M
2022-12-22T11:03:30.841+01:00 INFO  [LoggingAlert] alert_id: 01GF0WERGYVBRRYSGYNM4DWK67-1056867426 | alert_title: rule1 | alert_description:  | severity: medium | create_time: 2022-12-22T10:03:30.602Z | detect_time: 2022-12-22T09:53:25.146Z | analyzer: graylog | sensor: host1 | source_command:  | source_file_name:  | source_host_name:  | source_ip_address:  | source_mac_address:  | source_port:  | source_process:  | source_tool:  | source_url:  | source_user_name:  | target_command:  | target_file_name:  | target_host_name: host1 | target_ip_address:  | target_mac_address:  | target_port:  | target_process:  | target_tool:  | target_url:  | target_user_name: root | file_name:  | file_hash:  | alert_url: https://fqdn/alerts | messages_url: /search?rangetype=absolute&from=2022-12-22T09%3A53%3A25.146Z&to=2022-12-22T10%3A04%3A30.616Z&streams=63189ffd28af5049e6eef5a8%2C63189ffd28af5049e6eef5cd&q=source%3A"host1" | custom:  | drilldown: P30M
@frantz45 frantz45 mentioned this issue Jan 30, 2023
Open
@c8y3
Copy link
Collaborator

c8y3 commented Jan 30, 2023
edited
Loading

First step:

  • write a draft specification for the graylog-plugin-logging-alert plugin, with all required features and some use cases (some of which can be from the end-to-end tests and previous issues) and the initial specification document.
  • Then we can decide a strategy: adapt or start from scratch with a simpler behaviour.
  • If we plan to start from scratch, then we should consider Separate the aggregation functionnality in another plugin #34

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@c8y3 @frantz45