Introduction to Alerting
How It Works
Graylog alerts are periodical searches that can trigger notifications when a defined condition is satisfied. You specify the alert conditions in which Graylog considers those search results as exceptional, triggering an alert in that case.
Graylog ships with some default alert conditions. You can also extend alert conditions with plug-ins from the Graylog Marketplace, or create your own. The default alert conditions are:
Message Count Condition
Triggers when the stream receives more than X messages in the last Y minutes.
Field Aggregation Condition
Triggers when the result of a statistical computation of a numerical message field in the stream is higher or lower than a given threshold.
Field Content Condition
Triggers when the stream receives at least one message since the last alert run that has a field set to a given value.
Alerts can be sent via email, text, or Slack.
Set conditions to trigger an alert whenever a message with Event ID 1102 (The audit log was cleared) comes in. For security purposes, audit logs should not be cleared.
Set conditions to monitor whether there’s an increase in errors after deploying a new server and trigger an alert if so. There should not be a significant increase in errors above the normal baseline for your environment, or your performance could take a hit.
Set conditions to trigger an alert if there’s a high rate of login failures on a server. That situation could be simply someone forgetting a password, but it’s something you should check out anyway.