Disabling a wizard rule should disable the event definition

airbus-cyber / graylog-plugin-alert-wizard

Alert Wizard plugin for Graylog to manage the alert rules

Other

45 stars 7 forks source link

Disabling a wizard rule should disable the event definition #58

Closed frantz45 closed 12 months ago

frantz45 commented 2 years ago

When you disable a rule from the Wizard it pauses the corresponding streams. It works well because logs can't go into the streams anymore, so the event definition doesn't find any log. But the event definition is still trying to find events every X minutes. It would be cleaner to disable the event definition (in addition to pause the streams).

frantz45 commented 1 year ago

It's very problematic for "less than 1" rules, because they will always trigger as there is no log in the Stream. Pausing the Event Definition is mandatory for this use case.

c8y3 commented 1 year ago

Cases to handle:

disable a rule => disable the corresponding event definition
disable a OR rule => disable the two corresponding event definitions
enable a rule => enable the corresponding event definitions back

c8y3 commented 1 year ago

It seems the disabling/enabling of streams is currently exclusively done on the GUI side (see https://github.com/airbus-cyber/graylog-plugin-alert-wizard/blob/4.4.1/src/web/wizard/components/AlertRuleList.jsx#L106) The disabled state of the rule is based on the disabled state of the stream. Likewise, methods enable and disable of the EventDefinitionsStore should prove useful to fix this issue.

frantz45 commented 12 months ago

I've tested with Wizard v5.1.0 and I confirm it works well