ContactSupportBlogPartner Portal

Log Management and Graylog Alerts – Keeping Track of Events in Real-Time

September 30, 2019

Every log management solution out there has its own alerting feature. Alerts are a critical component of every logging tool. They can tell you whether an event is something you want to check out rather than just normal everyday activity you want to ignore. Graylog’s simplified interface is incredibly accessible to assist you with all the information you need in real-time, yet scalable enough to never compromise the level of detail provided. 

Knowing when something that matters comes up

Many old-school logging tools just run their background checks every 5-10 minutes. However, if something serious happens (like a hacking attempt), you definitely don’t want to know that 5 minutes later. That’s why Graylog keeps track of everything in real-time to identify every single event as soon as it occurs. Nonetheless, you also need to filter only relevant information and send it to the people who need to know. You don’t want to show every single system log to the people in your sales team, don’t you? 

Alert rules can be configured to warn you when an outstanding issue detected in log data requires immediate attention, and even send you a notification via email or text. Thresholds can be defined to reduce churn, and rules can be set only warn the right people in your team when a certain problem arises. 

Alert aggregation is a key component to understand how the logs are relevant to each other.  Getting an alert for 10 failed logins in 1 minute is not useful when hundreds of employees log in at 8 AM, and maybe 10 failed individually. By adding group aggregation, you can know when a specific user fails over 10 times, and only get alerted for 1 event.

In Graylog Enterprise 3.1, we introduced the correlation engine to take the alerting to the next level. If someone fails 10 times to log in, but right after does a successful login, maybe you were just brute force attacked. The correlation engine will monitor for a series of events and give you one, high fidelity alert.

A well-optimized alerting system warns you in real-time only when something that matters comes up. After all, if a serious threat like a data breach emerges, you want the right people to know about it immediately so they can mitigate the damage. However, you don’t want your ITOps team leader to be woken up in the middle of the night because one of your databases has just finished running its routine maintenance.

Proactive resource usage monitoring and management

You can use Graylog alerts to obtain a much more detailed overview of your resource usage. Individual log entries can be rolled up into a resource management dashboard to have a clearer picture of your resource usage. Logs can be easily correlated with other logs when exceptions or errors come up, or when the response time of a particular resource (Memory, Disk, CPU, etc.) shows the signs of a potential failure. Events surrounding, for example, a certain CPU spike can be analyzed by drilling down in correlated logs to identify the root causes of an issue.

SIEM solutions and Graylog log management

Today, Security Information and Event Management (SIEM) solutions work in tandem with log management tools such as Graylog to enhance their efficiency. If a SIEM keeps firing alerts every time a network or application issue is detected, users may get buried under the sheer amount of notifications. As a result, most of these alerts may end up being ignored, making a SIEM nothing but an extremely expensive but useless bauble.

A powerful log management tool can be paired with a SIEM, making notifications much less intrusive. When a potential threat is identified, its nature can be revealed through accurate log analysis, and even provide additional info about the methods used by hackers in case of breaches. Pairing a SIEM with the right log analysis tool can help an enterprise receive only the alerts that matter, as well as dig deeper into them and find more information about the root causes of an issue, its effects, and the solutions to fix it.

Using alerts to bring good news as well

Yes, we know already how important it is to quickly react when an issue endangers the stability of your system. Yet, alerts can be set to warn you about the good stuff as well. For example, you can receive a notification every time a certain amount of people visit your site or subscribe to your services. This is a fantastically efficient way to keep track of your SEO efforts, for example, or just to check whether a service you recently set up is running as smoothly as you want to.

Alerts can be used this way to do more than just put a smile on your teammates’ faces whenever a certain milestone is reached. They may represent an extremely valuable source of feedback information whenever you release a new feature. Knowing how quickly you reached the “first 500 people used it” threshold can be used to spot those features that customers really like or need and divert your DevOps team’s efforts accordingly. If you configure your logging system to keep track of users’ IDs, you may also send an automatic feedback request message to everyone who just tested your new feature. The possibilities are literally countless.

Conclusion

Graylog alerts can be used to obtain a fine-grained view of your system that draws from all the data coming from your logs. If you need more information on our alerting system, how it works, and its many functions, you can check this quick video guide here. If you still have doubts, don’t forget to check our community as well!


Written By

@
Add Graylog to your RSS feed
How to use RSS
RSS feeds allow you to see when websites have added new content. You can get the new content as soon as it's published, without having to visit the website. To start getting RSS feeds you will need a RSS feed reader on your device.
Back to Blog Posts

Stay In The Know

Get Graylog email updates and be the first to know about new content, product updates, and tips and tricks!