Http-plugin configuration (group_wait and group_threshold) problem

Foxinou35 · March 3, 2022, 1:04pm

Hi !

I have problem with it. Maybe I don’t understand it well (or documentation is not clear…)

In my understanding :

# group_wait: # duration to wait collecting alerts before sending to this plugin, eg "30s"

It will send any “stored” alerts every 30s to the notification plugin (sending every x seconds)

# group_threshold: # if alerts exceed this, then the plugin will be sent the message. eg "10"

If we reach 10 alerts, it will send the alerts. (sending every x alerts)

But when I check my debug log, I see the http post is done after each alert !

(obviously I do a crowdsec restart after each modification)

I was hoping to group send the alerts, to bypass the too many open files issue (see other thread Too many open files on http-plugin - #2 by Foxinou35)

thibault · March 8, 2022, 10:58am

How often do the alerts happen ? I think the grouping is “either of the two conditions is matched first”

Foxinou35 · March 14, 2022, 10:23am

3s, 6s, 8s, etc etc I mean I tried to set

group_threshold: 50 # if alerts exceed this, then the plugin will be sent the message. eg "10"

but I got notification on each alert… so it seems it is not working…

edit : group_wait seems to work but not group_theshhold

Can you confirm what I said in my first post ? Do I understand well ?

sbs2001 · April 6, 2022, 4:35am

Topic		Replies	Views
Limit the Number of Notifications crowdsec	3	736	November 25, 2021
Too many open files on http-plugin crowdsec	7	1121	March 25, 2022
HTTP notification customization for CloudRadar crowdsec	7	708	April 20, 2022
Telegram notification : plugin not enabled? crowdsec	4	696	August 10, 2023
Help Needed: CrowdSec Configuration Error	1	34	July 29, 2024