logging_alert.id is not calculated when the field alert_id is present in the logs

[frantz45]

In the plugin configuration I have configured the field alert_id as the alert id field. I have created a correlation rule which is based on logs containing the field alert_id (logs generated by the logging alert plugin). When my rule triggers, the logging_alert.id is not calculated, it is equal to the value of the alert_id field present in the logs.

The following schema shows my use case: Logs A --> Rule A --> Notification A (logging alert log) --> Rule B --> Notification B (logging alert log) logging_alert.id of Notification B is equal to logging_alert.id of Notification A.

[c8y3]

Maybe the problem is related to split fields and suffix interfering. Anyway, would it be possible to get a detailed step-by-step scenario? Thank you. I believe, we first need to restate the goal of aggregation and, if possible, simplify the plugin behavior.

[frantz45]

I confirm this issue is fixed in v4.0.0. However we could improve this plugin, check issue https://github.com/airbus-cyber/graylog-plugin-logging-alert/issues/34