ContactSupportBlogPartner Portal
Graylog Enterprise

Introduction to Alerting

Event Alerts

Log data shows you important business happenings and events across your organization. But how do you separate the normal everyday activity from possible issues you should check out? Using alerting to set thresholds for checking certain issues out and notifying the right people keeps the churn to a minimum.

How It Works

Graylog alerts are periodical searches that can trigger notifications when a defined condition is satisfied. You specify the alert conditions in which Graylog considers those search results as exceptional, triggering an alert in that case.

Graylog ships with some default alert conditions. You can also extend alert conditions with plug-ins from the Graylog Marketplace, or create your own. The default alert conditions are:

  • Message Count Condition

    Triggers when the stream receives more than X messages in the last Y minutes.

  • Field Aggregation Condition

    Triggers when the result of a statistical computation of a numerical message field in the stream is higher or lower than a given threshold.

  • Field Content Condition

    Triggers when the stream receives at least one message since the last alert run that has a field set to a given value.

Alerts can be sent via email, text, or Slack.

Examples

  • Set conditions to trigger an alert whenever a message with Event ID 1102 (The audit log was cleared) comes in. For security purposes, audit logs should not be cleared.

  • Set conditions to monitor whether there’s an increase in errors after deploying a new server and trigger an alert if so. There should not be a significant increase in errors above the normal baseline for your environment, or your performance could take a hit.

  • Set conditions to trigger an alert if there’s a high rate of login failures on a server. That situation could be simply someone forgetting a password, but it’s something you should check out anyway.

Learn More

Get Graylog

Contact Sales