How query works?. I'm unable to filter using query on Graylog 3

Question

How query works?. I'm unable to filter using query on Graylog 3

Closed this issue 6 years ago · 2 comments

Hello,

I'm trying to use your plugin to detect brute force attacks, but I want to filter some IP that are allowed and clients that are already blocked, but query doesn't work for me.

My configuration is:
backlog: 1 comment: <empty> distinction_fields: <empty> grace: 0 grouping_fields: remote_addr query: NOT status: 403 repeat_notifications: false threshold: 1000 threshold_type: MORE time: 10

but when I receive alerts from this plugin, are from an IP that is already blocked and gets an status 403.
I've tested that filter on graylog and works fine, that IP is filtered and doesn't appear, so looks like a problem with query configuration in plugin.

My graylog version is 3.0.0:
Version: 3.0.0+db6cf59, codename Space Moose JVM: PID 2470, Oracle Corporation 1.8.0_181 on Linux 4.9.0-8-amd64

i'm doing something wrong?

EDIT: I've tested the same filter on a simple message count alert and seems to be working, but this plugin doesn't.

Thanks.

Answer 1 · 2019-02-27T10:30:13.000Z

Hi,

Thank you for reporting this issue.
I think it is the same issue as #2.

Answer 2 · 2019-02-27T10:43:02.000Z

Hello,

Yes, looks like problem is similar (or same).

Thanks!!