Nagios Support Forum

Hi there,

I was wondering if there's any way I can make an alert that uses unique count instead of just a threshold?

For example: I wan't to make a simple failed login alert, but I'm finding it nearly impossible to get it to a usefull state because the alert-tool is looking on all events as a whole, and not just the logoutput per host.

In other ELK-based solutions it's a feature so I was wondering if I was missing it or something - as it seems like a pretty important tool to have when making alerts.

This problem spills over into panels, where it would be nice to have as well.

Thanks in advance ,

For the alerts, there is a field labeled Lookback Period. If you set that to the same amount of time as your Check Interval, that will give you unique instances of failed login attempts with every check.

Regarding panels, I'm not sure about this one. Are you referring to the filtering panels on the Dashboards page?

An then it will seperate the events per host as well?

Example: I have an alert for 10 failed logins over 10 mins. UserA fails 7 logins - at the same time UserB fails 3. Now I have triggered the alarm because I have 10 failed logins.

With the method you mentioned above, and the given example, will the alerting service then count those as 2 seperate events and not give me an alert until both reach 10? Or will it still count 10, and throw me a alert?

For panels I was thinking the same: Sometimes it's nice to have unique count in a dashboard - but since posting I've discorvered that I can make something similar with filtering and saved queries.

The most pressing is def. a per host option in the alerting. Otherwise I'll have to make hundres of individual alerts for each client/server to achieve a "per host" alerting.

Yes, my solution would fall flat in that example.

There have been people who have modified the queries by going into the Edit Alert screen, selecting Advanced (Manage Query), and editing the JSON directly. Here is one example,
https://support.nagios.com/forum/viewto ... s&start=10

That's a very deep dive, though. Currently I think it may be the only way to do what you're looking to do.