Skip to content

Signal

Signal is an informative notion / indication for Alerts management generated by LogMan.io Correlator, LogMan.io Baseliner, LogMan.io Watcher, LogMan.io Warden and other services.

Based on these messages, LogMan.io Alerts creates new tickets or updates existing ones applying grouping.

Configuring the signal in declarations

Detection rules (correlation rules, baseline rules, and similar) can include a signal section in their declaration to control whether and how they send signals to Alert Management (default trigger, grouping, ticket title).

Default signal trigger

By default, when a correlation or baseline rule fires, it sends a signal so that LogMan.io Alerts can create or update a ticket. To disable this default signal (so that the rule does not create tickets in Alert Management), set:

signal:
  default: false

Use this when the rule is intended for analysis or as input to other rules, not as a direct source of alerts. For example, a baseline that only feeds correlation logic would set default: false.

Grouping attributes

Signals are grouped into tickets by a group id. By default, the group id is derived from the attributes in the rule's evaluate section (or the rule path). To specify different attributes for grouping, use the grouping option:

signal:
  grouping:
    - user.name
    - host.id

The listed attributes are used to build the group id. When a new signal arrives, Alerts looks for an existing ticket with the same group id and updates it; otherwise a new ticket is created. See Group Tickets for details.

Title

You can set a custom title for the ticket created from the signal:

signal:
  title: Host Anomaly

If not specified, the ticket title is derived from the rule (e.g. rule path or default naming).

Combining options

You can combine default, grouping, and title in a single signal section:

signal:
  default: true
  title: Host Anomaly
  grouping:
    - user.name

Where the signal section applies

  • Correlator declarations: use the signal section to control default signal, grouping, and title (see Correlator).
  • Baseliner declarations: use signal: default: false when the baseline is for analysis or correlation input only; you can also set signal: title: and signal: grouping: (see Defining baselines).
  • Other services (e.g. Warden, lookups) may support signal triggers in their trigger definitions; see the respective documentation.