Introduction to Alerting
How It Works
Graylog alerts are periodical searches that can trigger notifications when a defined condition is satisfied. You specify the alert conditions in which Graylog considers those search results as exceptional, triggering an alert in that case. Alert time frame can be set to only search a specific time in the past, as well as how often to perform the searches.
Graylog allows you to create any alert condition based on the data you are collecting. You can also extend alert conditions with plug-ins from the Graylog Marketplace. The default alert conditions are:
Triggers when the result of a aggregation has been met through a statistical computation. Aggregation has been improved to have group by fields, allowing for individualized alerts per grouped field. Multiple groupings can be done per alert as well.
Triggers when the stream receives at least one message since the last alert run that has a field set to a given value.
Alerts can be sent via email, text, or Slack.
Set conditions to trigger an alert whenever a message with Event ID 104 (The audit log was cleared) comes in. For security purposes, audit logs should not be cleared.
Set conditions to monitor whether there’s an increase in errors after deploying a new server and trigger an alert if so. There should not be a significant increase in errors above the normal baseline for your environment, or your performance could take a hit.
Set conditions to trigger an alert if there’s a high rate of login failures on a server. That situation could be simply someone forgetting a password, but it’s something you should check out anyway. Grouping by the user name field will also allow for unique alerts per account tried.