0

Graylog v2.3.2

My goal is to have a condition raise an alert, and the alert remain open until it's marked resolved or a defined resolved condition applies.

I have an alert setup and here is the condition configuration: 

Configuration: Alert is triggered when messages matching
<full_message: "*Short*"> are received. Grace period: 15 minutes.
Including last 2 messages in alert notification. Configured to not
repeat notifications.

The alert triggers fine, but then it self-resolves.

Here is the logs.... 

2018-01-04 23:56:23.699
Graylog checks test_alert (Field Content Alert Condition) condition on stream All messages
2018-01-04 23:56:23.699
Stream received messages matching <full_message:"Short"> (Current grace time: 15 minutes)
2018-01-04 23:56:23.699
Graylog triggers an alert for test_alert (Field Content Alert Condition) and starts sending notifications
2018-01-04 23:56:23.699
No notifications were configured for this alert
2018-01-04 23:56:28.526
Condition is no longer satisfied, alert is marked as resolved

Why did it say "Condition is no longer satisfied" and resolve the alert?

My goal is to keep the alert open until someone resolves it or it's resolved through another condition/etc

emmdee
  • 2,187
  • 12
  • 36
  • 60

1 Answers1

2

Why did it say "Condition is no longer satisfied" and resolve the alert?

Alerts in Graylog are basically scheduled searches. If the search result isn't empty (or more generally the alert condition is triggered), the alert is triggered (or active). Once the scheduled search doesn't return any results (or the alert condition is not triggered), the alert will be resolved.

Please refer to http://docs.graylog.org/en/2.3/pages/streams/alerts.html for more details about alerts in Graylog.

My goal is to keep the alert open until someone resolves it or it's resolved through another condition/etc

That's not possible as of Graylog 2.4.0.

Feel free to create a feature request at https://github.com/Graylog2/graylog2-server/issues/

joschi
  • 21,387
  • 3
  • 47
  • 50
  • Thanks for the info. So the only function of an alert is to trigger a notification? Otherwise I don't see the usefulness of an alert if nobody is going to notice when they log into the console. – emmdee Jan 05 '18 at 17:05
  • Yes, exactly. There are various alarm callbacks (e. g. for PagerDuty) so you can escalate your alerts to other systems. – joschi Jan 06 '18 at 13:11
  • Those alarm callbacks may be implemented as plugins, so check the Graylog marketplace for any already written. Consider having some development done on your own plugin if you want to integrate with some other alert system. – John Mahowald Jan 06 '18 at 13:30