4. Be alerted

Immediately receive alerts and trigger actions when something interesting or unusual happens.

Back to guide overview

Introduction

An alert (or event) is always based on one or more streams. Set up streams that categorize and group messages so you can later alert on aggregated metrics. Streams could be Failed SSH logins, HTTP 500's, blocked ICMP packages or All HTTP requests (to measure response time). Learn more about streams in the documentation.

You can define Event Definitions that create events or alerts. Example: Whenever the stream All production exceptions has more than 50 messages per minute or when the field milliseconds had a too high standard deviation in the last five minutes.

You reach the alert configuration for a stream through the alerts overview page:

Create Event Definitions

First, you need to create an event definition to tell Graylog what you consider a situation in which to create an event. Go to the Alerts & Events management page and click on the Create Event Definition button. You will be presented with a wizard that guides you through the necessary steps.

Once you've created the event definition, Graylog will check the conditions at the configured execution interval periodically in the background. If the condition is triggered, an event will be created (and the configured notifications will be sent).

The alerts documentation has more details and some use cases. We recommend that you head over there to learn more.