Support new Alerts & Events API

Question

Support new Alerts & Events API

Closed this issue 5 years ago · 29 comments

Old Alerts system and API are deprecated.
https://docs.graylog.org/en/3.1/pages/streams/alerts.html#alerts-events

Answer 1 · 2019-09-11T11:17:31.000Z

http://127.0.0.1:9000/api/api-browser/#!/Events/Definitions

Events/Definitions : Event definition management

POST /events/definitions Create new event definition
GET /events/definitions/{definitionId} Get an event definition
PUT /events/definitions/{definitionId} Update existing event definition
DELETE /events/definitions/{definitionId} Delete event definition

Answer 2 · 2019-09-12T12:57:45.000Z

In general, Suzuki, did you try graylog provider with version 3.1, is it compatible?

Answer 3 · 2019-09-12T13:37:15.000Z

Yes. This project supports Graylog v3.1 .

I use v3.1 at the example and succeed to create Alert Condition and Alarm Callback.

Answer 4 · 2019-10-16T23:34:37.000Z

We have found in v3.1, alerts provisioned with this provider will not work until the Graylog master is rebooted, as this will run a migration job.

https://docs.graylog.org/en/3.1/pages/upgrade/graylog-3.1.html#alerts

Answer 5 · 2019-10-19T02:00:03.000Z

I'm asking about Graylog API at Forum.
https://community.graylog.org/t/how-do-we-create-an-event-definition-with-api-browser/12448

Answer 6 · 2019-12-02T13:55:34.000Z

Hello, any news about this?
It's very hard to use it now since as @cameronattard wrote - the Graylog server need to be rebooted...
Can I help somehow? (like upvoting graylog issue or something).

Answer 7 · 2019-12-03T00:37:28.000Z

Hi, I have good news.
I could create and update Event Definition and Event Notification by Graylog REST API, although I can't do it with Graylog API brower due to the bug of Graylog API brower.

https://gist.github.com/suzuki-shunsuke/39e31d46f195863d3298a8146df3ff8b

I'll try to handle this issue.

Answer 8 · 2019-12-03T13:43:34.000Z

Support Event Notification: #198

Answer 9 · 2019-12-03T23:44:55.000Z

I have released the new version v8.4.0.
Please read the document and example.

Support Event Definition

Answer 10 · 2019-12-06T14:19:04.000Z

Support Event Definition. #199

Answer 11 · 2019-12-07T04:14:18.000Z

I have released the new version v8.5.0.
Please read the document and example.

Answer 12 · 2019-12-07T04:18:11.000Z

The Event Definition API and Event Notification API have been supported, so I think we can close this issue.
Do you have any opinions?

Answer 13 · 2019-12-09T00:59:33.000Z

I will try this out today and let you know how it goes. Thanks!

Answer 14 · 2019-12-10T03:09:47.000Z

It seems connecting an event definition to an event notification is not currently working for me:

  notifications {
    notification_id = "${graylog_event_notification.pci_slack.id}"
  }

In the terraform state, I can see the notification configured:

                            "notifications.#": "1",
                            "notifications.0.notification_id": "5def010e751e9f000f7febd5",

But in the Graylog API browser (GET /events/definitions), it is not configured:

      "notifications": [],

Answer 15 · 2019-12-10T11:38:12.000Z

@cameronattard Thank you for your feedback!
I'll check.

Answer 16 · 2019-12-10T13:36:53.000Z

Fix the bug #201
#170 (comment)

Answer 17 · 2019-12-10T13:48:52.000Z

I have released the new version v8.5.1.
Please check.

Answer 18 · 2019-12-11T17:29:15.000Z

I just played a bit with it, and I have some problems how to write the config.
My use case is: there is a stream with severity ERROR, I want to be alerted when the message count in the stream in last 5 mins is > 0.
If I create such event definition with UI the api browser shows something like this:

      "id": "5df1245fdae272002352df02",
      "title": "test",
      "description": "",
      "priority": 2,
      "alert": false,
      "config": {
        "type": "aggregation-v1",
        "query": "",
        "streams": [
          "5df0d1dd5ba75d0023815986"
        ],
        "group_by": [],
        "series": [
          {
            "id": "32f6a303-6a1c-449b-b1e0-24e830d41a00",
            "function": "count",
            "field": null
          }
        ],
        "conditions": {
          "expression": {
            "expr": ">",
            "left": {
              "expr": "number-ref",
              "ref": "32f6a303-6a1c-449b-b1e0-24e830d41a00"
            },
            "right": {
              "expr": "number",
              "value": 1
            }
          }
        },
        "search_within_ms": 300000,
        "execute_every_ms": 60000
      },
      "field_spec": {},
      "key_spec": [],
      "notification_settings": {
        "grace_period_ms": 0,
        "backlog_size": 0
      },
      "notifications": [],
      "storage": [
        {
          "type": "persist-to-streams-v1",
          "streams": [
            "000000000000000000000002"
          ]
        }
      ]
    }

So the conditions references the series with some id.
Do you have an idea how to create such event definition?
I know it's more about Graylog itself and not the provider, but maybe someone knows how to do it..
Thanks!

Answer 19 · 2019-12-12T02:08:15.000Z

@gkocur it seems you can provide any arbitrary string as the series ID. Perhaps you could use https://www.terraform.io/docs/providers/random/r/uuid.html.

Answer 20 · 2019-12-12T04:59:53.000Z

@suzuki-shunsuke looks like the notifications are now being set correctly, thanks for fixing so quickly!

Answer 21 · 2019-12-12T09:01:40.000Z

I'll fix some bugs.
#202

Answer 22 · 2019-12-12T10:44:08.000Z

@cameronattard yes, I was trying to sniff what is sent to the api from web client and you are right, it seems the uuids are generated on client side. Thank you!

Answer 23 · 2019-12-12T13:27:18.000Z

I have released the new version v8.5.3.
Please check.

If there is no problem, I'll close this issue.

Answer 24 · 2019-12-12T21:11:16.000Z

Just tried 8.5.3 generally it works, but have small problem: if I run terraform apply and then terraform plan it shows me changes it want make.
Running apply again didn't solve it.
My definition:

resource "graylog_event_definition" "errors-in-logs" {
  title = "${var.env_name}-errors"
  alert = true
  priority = 2
  notifications {
    notification_id = graylog_event_notification.environment_slack_notification.id
  }
  config = <<EOF
{
  "type": "aggregation-v1",
  "query": "*",
  "streams": [
    "${graylog_stream.api-errors-alerts.id}",
    "${graylog_stream.trail-errors.id}",
    "${graylog_stream.smapi-errors.id}"
  ],
  "group_by": [],
  "series": [
    {
      "id": "${random_uuid.event_definition_errors_in_logs.result}",
      "function": "count",
      "field": null
    }
  ],
  "conditions": {
    "expression": {
      "expr": ">",
      "left": {
        "expr": "number-ref",
        "ref": "${random_uuid.event_definition_errors_in_logs.result}"
      },
      "right": {
        "expr": "number",
        "value": 0
      }
    }
  },
  "search_within_ms": 300000,
  "execute_every_ms": 60000
}
EOF
  notification_settings {
    grace_period_ms = 300000
    backlog_size = 0
  }
}

the terraform plan returns:

Terraform will perform the following actions:

  # module.graylog-common.graylog_event_definition.errors-in-logs will be updated in-place
  ~ resource "graylog_event_definition" "errors-in-logs" {
        alert      = true
      ~ config     = jsonencode(
          ~ {
                conditions       = {
                    expression = {
                        expr  = ">"
                        left  = {
                            expr = "number-ref"
                            ref  = "b2f16272-8502-b8f0-f14c-93a3d0771a60"
                        }
                        right = {
                            expr  = "number"
                            value = 0
                        }
                    }
                }
                execute_every_ms = 60000
                group_by         = []
                query            = "*"
                search_within_ms = 300000
              ~ series           = [
                  ~ {
                        field    = null
                        function = "count"
                        id       = "b2f16272-8502-b8f0-f14c-93a3d0771a60"
                    },
                ]
              ~ streams          = [
                  + "5df0d0ece40428002325e875",
                    "5de77d9e5ba75d0023780403",
                    "5de77d9eab60bc00246a70cd",
                  - "5df0d0ece40428002325e875",
                ]
                type             = "aggregation-v1"
            }
        )
        field_spec = jsonencode({})
        id         = "5df2547cdae27200235505ce"
        priority   = 2
        title      = "gseprod-errors"

        notification_settings {
            backlog_size    = 0
            grace_period_ms = 300000
        }

        notifications {
            notification_id = "5df25416dae272002355052b"
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Answer 25 · 2019-12-12T21:22:34.000Z

I was able to workaround it setting the streams in other order - so the ids are sorted alphabetically. So it looks for some sort problem?

Answer 26 · 2019-12-13T00:28:04.000Z

@gkocur
Thank you for your feedback.
As you said it is the sort problem.
It seems that the order of streams should be ignored.
So I fix it. #205

Answer 27 · 2019-12-13T00:55:43.000Z

I have released the new version v8.5.4.
Please check.

Answer 28 · 2019-12-13T07:42:20.000Z

@suzuki-shunsuke thank you for quick solve! No it works ok, I don't see any problems now :).

Answer 29 · 2019-12-16T23:36:43.000Z

I close this issue.

@gkocur @cameronattard
Thank you for your contribution!