graylog2-server icon indicating copy to clipboard operation
graylog2-server copied to clipboard
verified publisher icon Graylog2

Aggregation Event Definitions - Allow threshold value to be retrieved from lookup table on definition execution

Open AnushanLingam opened this issue 1 year ago • 2 comments

We currently have some hourly aggregation event definitions for things like spike in AppLocker blocks or increase in WAF blocks by site where a static threshold value is configured. These alerts can be quite noisy as what is considered a 'normal' message count varies by time of day/weekday vs weekend etc.

This feels like a bit of a dirty workaround but if I could set threshold values from a lookup table, I could calculate and maintain average values via API and then have the event definition pull this value based on a static key or the value from one of the group-by fields to determine if an alert should be generated.

I guess a proper way to do this would be to have some kind of baselining ability built into the event definition feature. Using my example of Increase in WAF Blocks (based on message count):

  1. Grab the current message count for the event definition time period based on the configured search query
  2. Grab message counts for the same time period for each of the last X days and calculate an average
  3. Use this average as the threshold to decide whether to trigger or not

Your Environment

  • Graylog Version: 5.2.7 Cloud
  • Operating System: Windows 11
  • Browser version: Edge

AnushanLingam avatar May 16 '24 10:05 AnushanLingam

It sounds like you just need to use the Percentage metric, rather than calculating off absolute values - are you able to achieve what you need using that, or are you perhaps blocked by UI as per https://github.com/Graylog2/graylog2-server/issues/19372 ?

tellistone avatar May 17 '24 09:05 tellistone

I had a feeling I was overcomplicating it, let me have a play around with the percentage metric to see if it can do what I want, cheers!

AnushanLingam avatar May 23 '24 07:05 AnushanLingam

This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further.

github-actions[bot] avatar Aug 23 '24 14:08 github-actions[bot]