Alert rule: syslog.timestamp check bug?

Hello,

when I try to create a rule from the collection -Es:(Syslog, Authentication failure on Device) syslog.timestamp >= macros.past_5m && syslog.msg ~ “@authentication [email protected]”-
I note that there is a problem about the check of the timestamp; I notice that in the mysql query the system add “” to macros.past_5m and maybe sql query is wrong.
The same result with any new rule that I create with a syslog.timestamp check.

Thanks

Do you mean this ? [Solved] Problem with Syslog alert rule

you can surround macros.past_5m in `` as a workaround.

yeaahh!!

thank you very much

  • you are using the old alert rule syntax, unless your install is out of date you should switch to the new style.