Coder Social home page Coder Social logo

airbus-cyber / graylog-plugin-logging-alert Goto Github PK

View Code? Open in Web Editor NEW
22.0 4.0 3.0 2.48 MB

Alert notification plugin for Graylog to generate log messages from alerts

License: Other

JavaScript 25.78% Java 45.15% CSS 1.16% Dockerfile 0.44% Python 24.41% TypeScript 3.06%
graylog-plugin alert-notification alerting graylog log-alert

graylog-plugin-logging-alert's Introduction

Logging Alert Plugin for Graylog

Continuous Integration License GitHub Release

Alert notification plugin for Graylog to generate log messages from alerts

The alert notification generate a log message when an alert is triggered.

Perfect for example to record alerts as internal log messages in Graylog itself using the Internal Logs Input Plugin for Graylog. Thus you can create a stream to receive and manage alerts.

Also perfect for example to forward alerts via log messages to a Security Incident Response Platform.

Please also take note that if message field values are included in the log message template and these values vary based on the messages that triggered the alert, then multiple log messages may be generated per alert.

Alert example recorded as an internal log message:

Version Compatibility

Plugin Version Graylog Version
5.1.x 5.1.x
5.0.x 5.0.x
4.3.x 4.3.x
4.2.x 4.3.x
4.1.x 4.2.x
4.0.x 4.1.x
2.2.x 3.3.x
2.1.x 3.2.x
2.0.x 3.2.x
1.3.x 3.0.x
1.2.x 3.0.x
1.1.x 2.5.x
1.0.x 2.4.x

Installation

Download the plugin and place the .jar file in your Graylog plugin directory. The plugin directory is the plugins/ folder relative from your graylog-server directory by default and can be configured in your graylog.conf file.

Restart graylog-server and you are done.

Usage

Configure a notification

First you have to select Logging Alert Notification as the notification type.

Then, in the popup that occurs, you can configure the Title of the notification.

You can configure the Alert Severity. You have the choice between 4 levels of severity.

You can also configure the Log Content to log the information you want. Please see the Graylog Documentation

Some plugin-specific fields values can be added to the log content.

Plugin-specific Fields Description
logging_alert.id ID of the alert
logging_alert.severity Severity of the alert
logging_alert.detect_time Timestamp of the first message that triggered the alert
logging_alert.messages_url URI to the retrieve messages that triggered the alert

The parameter Split Fields allow you to split the alert based on message field values. Thus, a different alert id is generated for each value of one or more message fields.

The parameter Aggregation Time Range allow you to aggregate alerts received in the given number of minutes. Thus, the alerts are logged with the same alert id during the time range.

The parameter Single message allow you to sent only one notification by alert

You can optionally add any Comment about the configuration of the notification.

Make sure you also configured alert conditions for the stream so that the alerts are actually triggered.

Configure the plugin parameters

Click on Configure in the System / Configurations section to update the plugin configuration.

In the popup that occurs, you can configure the default value of the parameters that are set when adding a new notification: Default Alert Severity, Default Log Content and Default Aggregation Time Range.

You can define a Line Break Substitution of the log content in order to help parsing log fields and their values. Thus a separator can be inserted between the fields of the log content.

You can also configure the Alerts Stream. This stream must receive the log messages of alerts to enable the alert aggregation feature. Use the Internal Logs Input Plugin for Graylog for this purpose.

You can also set the Alert ID Field which is the field that is checked to get the alert id in the log messages of the Alerts Stream.

You can optionally define an Overflow Limit. From this given number of log messages per triggered alert, all the following log messages generated by the notification are tagged as overflow. This limit prevents you from forwarding too many log messages per alert to a Security Incident Response Platform by filtering the log messages according to their tag. For this purpose you can choose the name of the tags: Alert Tag and Overflow Tag.

Build

This project is using Maven 3 and requires Java 8 or higher.

  • Clone this repository.
  • Run mvn package to build a JAR file.
  • Optional: Run mvn jdeb:jdeb and mvn rpm:rpm to create a DEB and RPM package respectively.
  • Copy generated JAR file in target directory to your Graylog plugin directory.
  • Restart the Graylog.

License

This plugin is released under version 1 of the Server Side Public License (SSPL).

graylog-plugin-logging-alert's People

Contributors

asylla01 avatar c8y3 avatar dlancelin avatar flainet avatar paasi6666 avatar tomasnk avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar

Forkers

ion-storm benhe119 kongz

graylog-plugin-logging-alert's Issues

logging_alert.alert_url and logging_alert.messages_url are broken in 2.x

The query in logging_alert.messages_url doesn't work.
It seems it misses the part "&q=stream%3Axxxxxxxxxx":
/search?rangetype=absolute&from=aaa&to=bbb+AND+user%3Atoto

logging_alert.alert_url is always empty.
I know the page /alerts/alert_id doesn't exist anymore.
It may be possible to redirect to the page /alerts/ and to POST the right search.
If it's not possible you can remove this parameter from the code and the documentation.

${logging_alert.messages_url} has a wrong timerange for a LESS THAN rule

To reproduce (it's easier to create the rule via the Wizard but it can be created from Event definition)

  1. Create a COUNT rule
  2. Choose a condition that doesn't match any log you receive (for example field "aaaaaa" matches exactly "aaaaaa")
  3. Select the count condition LESS THAN 1
  4. Set the timerange condition to the last 10 minutes and Save the rule
  5. Go the corresponding Event Definition and set the "Execute search every" to 10 minutes (so the rule is checked every 10 minutes on a window of the last 10 minutes)
  6. Go to the corresponding Notification to be sure ${logging_alert.messages_url} is part of the body template. If not, just add it
  7. Wait 10 minutes the rule triggers

Check the value corresponding to ${logging_alert.messages_url} in the generated alert log.
In this URL we can see the "from" parameter and the "to" parameter which refer to the search timerange of the alert.
The difference between these two fields is only 1 minute but it should be 10 minutes (the timrange condition set in the rule).

It works well with a "MORE THAN 0" rule.

Discuss about option singleMessage

When the backlog is activated, the plugin will, by default, generate one log per message in the backlog.
If option singleMessage is activated, only one log, with the complete backlog will be generated.
Maybe we should consider to invert the option singleMessage (it should be activated by default to avoid unnecessary flooding)
Discuss...

Multiple identical alert logs

One alert log is generated for each backlog log.
It should only generate multiples logs if there are different field's values in the backlog (for example multiple source IP addresses).

For example:

2022-12-22T11:03:30.841+01:00 INFO  [LoggingAlert] alert_id: 01GF0WERGYVBRRYSGYNM4DWK67-1056867426 | alert_title: rule1 | alert_description:  | severity: medium | create_time: 2022-12-22T10:03:30.602Z | detect_time: 2022-12-22T09:53:25.146Z | analyzer: graylog | sensor: host1 | source_command:  | source_file_name:  | source_host_name:  | source_ip_address:  | source_mac_address:  | source_port:  | source_process:  | source_tool:  | source_url:  | source_user_name:  | target_command:  | target_file_name:  | target_host_name: host1 | target_ip_address:  | target_mac_address:  | target_port:  | target_process:  | target_tool:  | target_url:  | target_user_name: root | file_name:  | file_hash:  | alert_url: https://fqdn/alerts | messages_url: /search?rangetype=absolute&from=2022-12-22T09%3A53%3A25.146Z&to=2022-12-22T10%3A04%3A30.616Z&streams=63189ffd28af5049e6eef5a8%2C63189ffd28af5049e6eef5cd&q=source%3A"host1" | custom:  | drilldown: P30M
2022-12-22T11:03:30.841+01:00 INFO  [LoggingAlert] alert_id: 01GF0WERGYVBRRYSGYNM4DWK67-1056867426 | alert_title: rule1 | alert_description:  | severity: medium | create_time: 2022-12-22T10:03:30.602Z | detect_time: 2022-12-22T09:53:25.146Z | analyzer: graylog | sensor: host1 | source_command:  | source_file_name:  | source_host_name:  | source_ip_address:  | source_mac_address:  | source_port:  | source_process:  | source_tool:  | source_url:  | source_user_name:  | target_command:  | target_file_name:  | target_host_name: host1 | target_ip_address:  | target_mac_address:  | target_port:  | target_process:  | target_tool:  | target_url:  | target_user_name: root | file_name:  | file_hash:  | alert_url: https://fqdn/alerts | messages_url: /search?rangetype=absolute&from=2022-12-22T09%3A53%3A25.146Z&to=2022-12-22T10%3A04%3A30.616Z&streams=63189ffd28af5049e6eef5a8%2C63189ffd28af5049e6eef5cd&q=source%3A"host1" | custom:  | drilldown: P30M
2022-12-22T11:03:30.841+01:00 INFO  [LoggingAlert] alert_id: 01GF0WERGYVBRRYSGYNM4DWK67-1056867426 | alert_title: rule1 | alert_description:  | severity: medium | create_time: 2022-12-22T10:03:30.602Z | detect_time: 2022-12-22T09:53:25.146Z | analyzer: graylog | sensor: host1 | source_command:  | source_file_name:  | source_host_name:  | source_ip_address:  | source_mac_address:  | source_port:  | source_process:  | source_tool:  | source_url:  | source_user_name:  | target_command:  | target_file_name:  | target_host_name: host1 | target_ip_address:  | target_mac_address:  | target_port:  | target_process:  | target_tool:  | target_url:  | target_user_name: root | file_name:  | file_hash:  | alert_url: https://fqdn/alerts | messages_url: /search?rangetype=absolute&from=2022-12-22T09%3A53%3A25.146Z&to=2022-12-22T10%3A04%3A30.616Z&streams=63189ffd28af5049e6eef5a8%2C63189ffd28af5049e6eef5cd&q=source%3A"host1" | custom:  | drilldown: P30M
2022-12-22T11:03:30.841+01:00 INFO  [LoggingAlert] alert_id: 01GF0WERGYVBRRYSGYNM4DWK67-1056867426 | alert_title: rule1 | alert_description:  | severity: medium | create_time: 2022-12-22T10:03:30.602Z | detect_time: 2022-12-22T09:53:25.146Z | analyzer: graylog | sensor: host1 | source_command:  | source_file_name:  | source_host_name:  | source_ip_address:  | source_mac_address:  | source_port:  | source_process:  | source_tool:  | source_url:  | source_user_name:  | target_command:  | target_file_name:  | target_host_name: host1 | target_ip_address:  | target_mac_address:  | target_port:  | target_process:  | target_tool:  | target_url:  | target_user_name: root | file_name:  | file_hash:  | alert_url: https://fqdn/alerts | messages_url: /search?rangetype=absolute&from=2022-12-22T09%3A53%3A25.146Z&to=2022-12-22T10%3A04%3A30.616Z&streams=63189ffd28af5049e6eef5a8%2C63189ffd28af5049e6eef5cd&q=source%3A"host1" | custom:  | drilldown: P30M

Empty variable ${logging_alert.messages_url}

When no logs are provided to this plugin (backlog=0 or message count threshold<1) the field ${logging_alert.messages_url} is empty.
It would be great to get at least the URL to the stream.

Error when viewing a notification

Go to the Alerts page.
Then click on Notifications.
Click on the title of a LoggingAlert notification.
A red error message is displayed: Notification type is not supported.

However editing a notification works well, and the notification works too.

Elasticsearch exception: Failed to parse query

Sometimes an exception is throwed as you can see below.
Graylog version : 4.1.6
Plugin version : 4.0.0

2021-11-04T17:19:23.249+01:00 ERROR [JobExecutionEngine] Unhandled job execution error - trigger=6184080b2f904c5cd9dc731e job=6183fea41c042859f953bd0b
org.graylog.shaded.elasticsearch7.org.elasticsearch.ElasticsearchException: Unable to perform search query
    at org.graylog.storage.elasticsearch7.ElasticsearchClient.exceptionFrom(ElasticsearchClient.java:136) ~[?:?]
    at org.graylog.storage.elasticsearch7.ElasticsearchClient.firstResponseFrom(ElasticsearchClient.java:85) ~[?:?]
    at org.graylog.storage.elasticsearch7.ElasticsearchClient.search(ElasticsearchClient.java:61) ~[?:?]
    at org.graylog.storage.elasticsearch7.SearchesAdapterES7.search(SearchesAdapterES7.java:122) ~[?:?]
    at org.graylog2.indexer.searches.Searches.search(Searches.java:156) ~[graylog.jar:?]
    at org.graylog2.indexer.searches.Searches.search(Searches.java:149) ~[graylog.jar:?]
    at com.airbus_cyber_security.graylog.events.notifications.types.LoggingAlertUtils.getAggregationAlertID(LoggingAlertUtils.java:108) ~[?:?]
    at com.airbus_cyber_security.graylog.events.notifications.types.LoggingAlertUtils.getListOfLoggingAlertField(LoggingAlertUtils.java:254) ~[?:?]
    at com.airbus_cyber_security.graylog.events.notifications.types.LoggingAlert.execute(LoggingAlert.java:112) ~[?:?]
    at org.graylog.events.notifications.EventNotificationExecutionJob.execute(EventNotificationExecutionJob.java:135) ~[graylog.jar:?]
    at org.graylog.scheduler.JobExecutionEngine.executeJob(JobExecutionEngine.java:166) ~[graylog.jar:?]
    at org.graylog.scheduler.JobExecutionEngine.lambda$handleTrigger$2(JobExecutionEngine.java:144) ~[graylog.jar:?]
    at com.codahale.metrics.Timer.time(Timer.java:151) ~[graylog.jar:?]
    at org.graylog.scheduler.JobExecutionEngine.handleTrigger(JobExecutionEngine.java:144) ~[graylog.jar:?]
    at org.graylog.scheduler.JobExecutionEngine.lambda$execute$0(JobExecutionEngine.java:119) ~[graylog.jar:?]
    at org.graylog.scheduler.worker.JobWorkerPool.lambda$execute$0(JobWorkerPool.java:110) ~[graylog.jar:?]
    at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:180) [graylog.jar:?]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_262]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_262]
    at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
    at java.lang.Thread.run(Thread.java:748) [?:1.8.0_262]
Caused by: org.graylog.shaded.elasticsearch7.org.elasticsearch.ElasticsearchException: Elasticsearch exception [type=search_phase_execution_exception, reason=all shards failed]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.ElasticsearchException.innerFromXContent(ElasticsearchException.java:496) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.ElasticsearchException.failureFromXContent(ElasticsearchException.java:603) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.action.search.MultiSearchResponse.itemFromXContent(MultiSearchResponse.java:215) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.action.search.MultiSearchResponse.lambda$static$1(MultiSearchResponse.java:56) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.AbstractObjectParser.lambda$declareObjectArray$13(AbstractObjectParser.java:254) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.AbstractObjectParser.lambda$declareFieldArray$22(AbstractObjectParser.java:300) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.AbstractObjectParser.parseArray(AbstractObjectParser.java:382) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.AbstractObjectParser.lambda$declareFieldArray$23(AbstractObjectParser.java:300) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.ObjectParser.lambda$declareField$9(ObjectParser.java:386) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.ObjectParser.parseValue(ObjectParser.java:529) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.ObjectParser.parseArray(ObjectParser.java:523) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.ObjectParser.parseSub(ObjectParser.java:555) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.ObjectParser.parse(ObjectParser.java:324) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.ConstructingObjectParser.parse(ConstructingObjectParser.java:171) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.ConstructingObjectParser.apply(ConstructingObjectParser.java:163) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.action.search.MultiSearchResponse.fromXContext(MultiSearchResponse.java:194) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.client.RestHighLevelClient.parseEntity(RestHighLevelClient.java:1892) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.client.RestHighLevelClient.lambda$performRequestAndParseEntity$8(RestHighLevelClient.java:1554) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.client.RestHighLevelClient.internalPerformRequest(RestHighLevelClient.java:1630) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.client.RestHighLevelClient.performRequest(RestHighLevelClient.java:1583) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.client.RestHighLevelClient.performRequestAndParseEntity(RestHighLevelClient.java:1553) ~[?:?]
    at org.graylog.shaded.elasticsearch7.org.elasticsearch.client.RestHighLevelClient.msearch(RestHighLevelClient.java:1118) ~[?:?]
    at org.graylog.storage.elasticsearch7.ElasticsearchClient.lambda$search$0(ElasticsearchClient.java:59) ~[?:?]
    at org.graylog.storage.elasticsearch7.ElasticsearchClient.execute(ElasticsearchClient.java:97) ~[?:?]
    at org.graylog.storage.elasticsearch7.ElasticsearchClient.search(ElasticsearchClient.java:59) ~[?:?]
    ... 18 more
    Suppressed: org.graylog.shaded.elasticsearch7.org.elasticsearch.ElasticsearchException: Elasticsearch exception [type=query_shard_exception, reason=Failed to parse query [streams:6183fe751c042859f953b84aalert_id:(01FKNVCGP742626JSEFX4Q8K79-838939282 OR 01FKNTT6ZT60CAGFW27RSQDW1G-838939282 OR 01FKNT7X5HW1ZJVPJE0WD6A7X6-838939282)]]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.ElasticsearchException.innerFromXContent(ElasticsearchException.java:496) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.ElasticsearchException.fromXContent(ElasticsearchException.java:407) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.ElasticsearchException.innerFromXContent(ElasticsearchException.java:469) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.ElasticsearchException.failureFromXContent(ElasticsearchException.java:603) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.action.search.MultiSearchResponse.itemFromXContent(MultiSearchResponse.java:215) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.action.search.MultiSearchResponse.lambda$static$1(MultiSearchResponse.java:56) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.AbstractObjectParser.lambda$declareObjectArray$13(AbstractObjectParser.java:254) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.AbstractObjectParser.lambda$declareFieldArray$22(AbstractObjectParser.java:300) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.AbstractObjectParser.parseArray(AbstractObjectParser.java:382) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.AbstractObjectParser.lambda$declareFieldArray$23(AbstractObjectParser.java:300) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.ObjectParser.lambda$declareField$9(ObjectParser.java:386) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.ObjectParser.parseValue(ObjectParser.java:529) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.ObjectParser.parseArray(ObjectParser.java:523) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.ObjectParser.parseSub(ObjectParser.java:555) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.ObjectParser.parse(ObjectParser.java:324) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.ConstructingObjectParser.parse(ConstructingObjectParser.java:171) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.common.xcontent.ConstructingObjectParser.apply(ConstructingObjectParser.java:163) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.action.search.MultiSearchResponse.fromXContext(MultiSearchResponse.java:194) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.client.RestHighLevelClient.parseEntity(RestHighLevelClient.java:1892) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.client.RestHighLevelClient.lambda$performRequestAndParseEntity$8(RestHighLevelClient.java:1554) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.client.RestHighLevelClient.internalPerformRequest(RestHighLevelClient.java:1630) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.client.RestHighLevelClient.performRequest(RestHighLevelClient.java:1583) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.client.RestHighLevelClient.performRequestAndParseEntity(RestHighLevelClient.java:1553) ~[?:?]
        at org.graylog.shaded.elasticsearch7.org.elasticsearch.client.RestHighLevelClient.msearch(RestHighLevelClient.java:1118) ~[?:?]
        at org.graylog.storage.elasticsearch7.ElasticsearchClient.lambda$search$0(ElasticsearchClient.java:59) ~[?:?]
        at org.graylog.storage.elasticsearch7.ElasticsearchClient.execute(ElasticsearchClient.java:97) ~[?:?]
        at org.graylog.storage.elasticsearch7.ElasticsearchClient.search(ElasticsearchClient.java:59) ~[?:?]
        at org.graylog.storage.elasticsearch7.SearchesAdapterES7.search(SearchesAdapterES7.java:122) ~[?:?]
        at org.graylog2.indexer.searches.Searches.search(Searches.java:156) ~[graylog.jar:?]
        at org.graylog2.indexer.searches.Searches.search(Searches.java:149) ~[graylog.jar:?]
        at com.airbus_cyber_security.graylog.events.notifications.types.LoggingAlertUtils.getAggregationAlertID(LoggingAlertUtils.java:108) ~[?:?]
        at com.airbus_cyber_security.graylog.events.notifications.types.LoggingAlertUtils.getListOfLoggingAlertField(LoggingAlertUtils.java:254) ~[?:?]
        at com.airbus_cyber_security.graylog.events.notifications.types.LoggingAlert.execute(LoggingAlert.java:112) ~[?:?]
        at org.graylog.events.notifications.EventNotificationExecutionJob.execute(EventNotificationExecutionJob.java:135) ~[graylog.jar:?]
        at org.graylog.scheduler.JobExecutionEngine.executeJob(JobExecutionEngine.java:166) ~[graylog.jar:?]
        at org.graylog.scheduler.JobExecutionEngine.lambda$handleTrigger$2(JobExecutionEngine.java:144) ~[graylog.jar:?]
        at com.codahale.metrics.Timer.time(Timer.java:151) ~[graylog.jar:?]
        at org.graylog.scheduler.JobExecutionEngine.handleTrigger(JobExecutionEngine.java:144) ~[graylog.jar:?]
        at org.graylog.scheduler.JobExecutionEngine.lambda$execute$0(JobExecutionEngine.java:119) ~[graylog.jar:?]
        at org.graylog.scheduler.worker.JobWorkerPool.lambda$execute$0(JobWorkerPool.java:110) ~[graylog.jar:?]
        at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:180) [graylog.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_262]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_262]
        at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_262]

Indeed the ES query is wrong:
streams:6183fe751c042859f953b84aalert_id:(01FKNVCGP742626JSEFX4Q8K79-838939282 OR 01FKNTT6ZT60CAGFW27RSQDW1G-838939282 OR 01FKNT7X5HW1ZJVPJE0WD6A7X6-838939282)

You need to add some spaces and the AND keyword:
streams:6183fe751c042859f953b84a AND alert_id:(01FKNVCGP742626JSEFX4Q8K79-838939282 OR 01FKNTT6ZT60CAGFW27RSQDW1G-838939282 OR 01FKNT7X5HW1ZJVPJE0WD6A7X6-838939282)

Can not load plugin on Graylog 4.3.5

Can not load the plugin on Graylog 4.3.5

2023-08-28T17:11:35.392+07:00 ERROR [CmdLineTool] Plugin "Logging Alert Notification" requires version 4.3.6 - not loading!

Plugin version I tried:

  • 4.2
  • 4.3
  • 4.4
  • 4.5

Split fields are not displayed nicely

  1. Create a Logging Alert notification with multiple split fields (Alerts -> Notifications -> Create notification)
  2. Find the created notification in the list and click on its title to display it
  3. Split Fields are concatenated without space between them

${logging_alert.messages_url} with multiple streams

When we create a rule "OR", "AND", "THEN" with the wizard, it uses multiples streams.
However the variable ${logging_alert.messages_url} only contains the first stream.
It would be nice to also deal with the second stream.
For example with a "OR" rule you have to create a search request like this:

stream:aaaaaaaaaaaaaa OR stream:bbbbbbbbbbbb

If the rule uses split fields:

(stream:aaaaaaaaaaaaaa OR stream:bbbbbbbbbbbb) AND split_fields1:xxx AND split_fields2:yyy

Single Message and foreach loop don't work: Multiple entries with the same key

Event definition:
- type: Filter&Agregation
- conditions: triggers when there are more than 0 logs in the last 10 minutes, scheduled every one minute
- backlog: 100
Logs (I send these 2 logs in the same 1 minute window):
- log1: src_ip=1.1.1.1
- log2: src_ip=2.2.2.2
Notification:
- type: logging alert
- no split fields
- aggregation time range: 1440 minutes
- single message checked
- body: ${if backlog}"src_ip": [{foreach backlog message}${message.fields.src_ip}, ${end}]${end}

When it triggers I get an exception from EventProcessorEngine: java.lang.IllegalArgumentException: Multiple entries with the same key: 1.1.1.1 - 2.2.2.2=2 and 1.1.1.1 - 2.2.2.2=2

I would expect an alert log like:
"src_ip": ["1.1.1.1", "2.2.2.2", ]

(In addition do you know how to remove the last coma in the array ?)

logging_alert.id is not calculated when the field alert_id is present in the logs

In the plugin configuration I have configured the field alert_id as the alert id field.
I have created a correlation rule which is based on logs containing the field alert_id (logs generated by the logging alert plugin).
When my rule triggers, the logging_alert.id is not calculated, it is equal to the value of the alert_id field present in the logs.

The following schema shows my use case:
Logs A --> Rule A --> Notification A (logging alert log) --> Rule B --> Notification B (logging alert log)
logging_alert.id of Notification B is equal to logging_alert.id of Notification A.

Graylog 2.5 issues

I am getting this error:

2019-02-01 13:06:14.036 | graylog-1
-- | --
WARN [AlertNotificationsSender] Alarm callback <Logging Alert Notification> failed. Skipping.

Any ideas? I was running the internal logger plugin.

Exception when a split field is numeric

The following exception happens if a split field is numeric:

2022-08-24T15:01:54.332+02:00 ERROR [JobExecutionEngine] Unhandled job execution error - trigger=63062141c0374e468fc277f5 job=63061df4c0374e468fc26f63
java.lang.ClassCastException: java.lang.Integer cannot be cast to java.lang.String
        at com.airbus_cyber_security.graylog.events.notifications.types.LoggingAlertUtils.buildSplitFieldsSearchQuery(LoggingAlertUtils.java:144) ~[?:?]
        at com.airbus_cyber_security.graylog.events.notifications.types.LoggingAlertUtils.getMessagesUrl(LoggingAlertUtils.java:188) ~[?:?]
        at com.airbus_cyber_security.graylog.events.notifications.types.LoggingAlertUtils.getListOfLoggingAlertField(LoggingAlertUtils.java:217) ~[?:?]
        at com.airbus_cyber_security.graylog.events.notifications.types.LoggingAlert.execute(LoggingAlert.java:94) ~[?:?]
        at org.graylog.events.notifications.EventNotificationExecutionJob.execute(EventNotificationExecutionJob.java:135) ~[graylog.jar:?]
        at org.graylog.scheduler.JobExecutionEngine.executeJob(JobExecutionEngine.java:166) ~[graylog.jar:?]
        at org.graylog.scheduler.JobExecutionEngine.lambda$handleTrigger$2(JobExecutionEngine.java:144) ~[graylog.jar:?]
        at com.codahale.metrics.Timer.time(Timer.java:151) ~[graylog.jar:?]
        at org.graylog.scheduler.JobExecutionEngine.handleTrigger(JobExecutionEngine.java:144) ~[graylog.jar:?]
        at org.graylog.scheduler.JobExecutionEngine.lambda$execute$0(JobExecutionEngine.java:119) ~[graylog.jar:?]
        at org.graylog.scheduler.worker.JobWorkerPool.lambda$execute$0(JobWorkerPool.java:110) ~[graylog.jar:?]
        at com.codahale.metrics.InstrumentedExecutorService$InstrumentedRunnable.run(InstrumentedExecutorService.java:180) [graylog.jar:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [?:1.8.0_262]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [?:1.8.0_262]
        at com.codahale.metrics.InstrumentedThreadFactory$InstrumentedRunnable.run(InstrumentedThreadFactory.java:66) [graylog.jar:?]
        at java.lang.Thread.run(Thread.java:748) [?:1.8.0_262]

To reproduce this issue:

  1. Create the following Logging Alert notification :
Description:	Generated by the alert wizard
Alert Severity:	LOW
Log Content:
    alert_id: ${logging_alert.id}
    alert_title: ${event_definition_title} - ${if backlog && backlog[0]}${backlog[0].fields.dest_port}${end}
    alert_description: 
    severity: ${logging_alert.severity}
    create_time: ${event.timestamp_processing}
    detect_time: ${logging_alert.detect_time}
    analyzer: graylog
    messages_url: ${logging_alert.messages_url}
    custom: 
    drilldown: P30M
Split Fields:	dest_port
Aggregation Time Range:	1440
Alert Tag:	LoggingAlert
Single Notification:	false
  1. Create the following Event Definition:
Aggregation Count Alert Condition
Stream:	63061df4c0374e468fc26f5c
Threshold Type:	MORE
Threshold:	9
Search within:	2 minutes
Execute search every:	2 minutes
Grouping Fields:	dest_port
Distinction Fields:	No distinction fields for this condition.
Comment:	Generated by the alert wizard
Search Query:	*
  1. Send some logs to trigger the rule (at least 10 logs):
while true; do echo '<1>Aug 24 15:00:06 test006 json: {"dest_port": 1234}' | nc 127.0.0.1 2514; done

If the logs I send are not numeric it works well (no exception and the notification log is generated):

while true; do echo '<1>Aug 24 15:00:06 test006 json: {"dest_port": "1234"}' | nc 127.0.0.1 2514; done

I've checked the Elasticsearch index mapping and this field "dest_port" is a keyword and not a long:

curl 'https://elasticsearch:9200/graylog_0/_mapping/field/dest_port'
{"graylog_0":{"mappings":{"dest_port":{"full_name":"dest_port","mapping":{"dest_port":{"type":"keyword"}}}}}}

Graylog 5.1.2 don't find "Logging Alert Notification " Type

Environment
1、Graylog 5.1.2
2、upload graylog-plugin-logging-alert-5.1.0.jar to /usr/share/graylog-server/plugin/
3、systemctl restart graylog-server

Alert——New Notification——Notification Type
but I don't find "Logging Alert Notification " Type
1
2

Escape backslashes in a split field's value in the logging_alert.messages_url query

The variable logging_alert.messages_url is a Graylog URI to retrieve logs which trigger an alert.
If you set split fields in the alert's notification, the value of the split field is included in this URI.
For example if the split field is user and its value for an alert is toto: q=user%3A%22toto%22

If this value contains backslashes they need to be escaped with another backslash otherwise the query won't find the logs on Graylog.
It often happens when you use Windows filename as split field.
The Graylog query filename:"C:\Windows\toto.exe" won't work, you need to escape backslashes: filename:"C:\\Windows\\toto.exe"

Configuration is not well displayed

Steps to reproduce:

  1. Go to System / Configuration
  2. Configure Logging Alert Notification Configuration (for example juste add a word in the Log Content)
  3. Close your web browser
  4. Open you web browser
  5. Go to System / Configuration
  6. Logging Alert Notification Configuration is wrong, it displays the old configuration
  7. Something funny: Click on Configure and click Cancel: The good configuration appears!

(It is just a display issue, in MongoDB the configuration is good, and when you create a new rule the good logging configuration is applied)

Environment:

  • Graylog v4.3.11
  • LoggingAlert v4.2.0
  • Firefox 91.6 ESR

log_body is not got from the configuration when creating an Event

Steps :

  1. Configure a log content (System -> Configurations -> Logging Alert Notification Configurations)
  2. Create an Event (Alerts -> Event Definitions -> Create Event Definitions)
    a. At the "Notifications" step, create a new notification of type "Logging Alert Notification"
    --> The body template displayed is well got from the Logging Alert Notification Configurations
    b. At the "Summary" step, expand the Logging Alert Notification (More details)
    --> The issue is visible: the log content is wrong, it isn't the one displayed at the previous step

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.