Alert rule: syslog.timestamp check bug?


when I try to create a rule from the collection -Es:(Syslog, Authentication failure on Device) syslog.timestamp >= macros.past_5m && syslog.msg ~ “@authentication failure@”-
I note that there is a problem about the check of the timestamp; I notice that in the mysql query the system add “” to macros.past_5m and maybe sql query is wrong.
The same result with any new rule that I create with a syslog.timestamp check.


Do you mean this ? [Solved] Problem with Syslog alert rule

you can surround macros.past_5m in `` as a workaround.


thank you very much

  • you are using the old alert rule syntax, unless your install is out of date you should switch to the new style.