It should be possible to define rules, when an alert should be cleared/resolved. At the moment Graylog will mark an alert as resolved when its condition is no longer satisfied. Since this does not always remark when an alert is over, it should be possible to define a second rule that will resolve the issue.
In addition, it should be possible to send an "alert resolved" email, that informs every recipient, that the triggered alert has been resolved. (I will open an additional issue for this)
Current Behavior
At the moment Graylog will only mark an alert as resolved when its condition is no longer satisfied.
Context
Example: An NTP server sometimes struggles with the radio signal of the DCF77 clock signal send from Frankfurt, Germany. It looses the signal and switches to its local quartz clock and sends a syslog message. This should start an alert and send an email to the person controlling the NTP servers as an notification. If the NTP server regains the signal, it sends another syslog message which should mark the alert as resolved and should also be able to send a second notification/email that informs about the resolved alert.
Expected Behavior
It should be possible to define rules, when an alert should be cleared/resolved. At the moment Graylog will mark an alert as resolved when its condition is no longer satisfied. Since this does not always remark when an alert is over, it should be possible to define a second rule that will resolve the issue.
In addition, it should be possible to send an "alert resolved" email, that informs every recipient, that the triggered alert has been resolved. (I will open an additional issue for this)
Current Behavior
At the moment Graylog will only mark an alert as resolved when its condition is no longer satisfied.
Context
Example: An NTP server sometimes struggles with the radio signal of the DCF77 clock signal send from Frankfurt, Germany. It looses the signal and switches to its local quartz clock and sends a syslog message. This should start an alert and send an email to the person controlling the NTP servers as an notification. If the NTP server regains the signal, it sends another syslog message which should mark the alert as resolved and should also be able to send a second notification/email that informs about the resolved alert.
Similar request: https://community.graylog.org/t/back-to-normal-alert/599
Your Environment