Alert email format

I’m trying to set up an alert and get the IP address from the message, but I cant get the formatting right.

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:${event.timestamp}
Alert Condition Title:${alertCondition.title}
Message:${event.message}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Source IP: ${message.fields_entries.IpAddress}
Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message}
${end}
${end}

And the message is a standard EventID 4625 failed login from Windows
I can’t grab the IP address correctly

{
“message”: {
“fields”: {
“WorkstationName”: “TxxxxxxT2”,
“EventID”: 4625,
“IpAddress”: “10.xx.xx133”,
“TargetUserName”: “zxxxxxxxxxxra”,
“TargetUserSid”: “S-1-0-0”
},
“complete”: true,
“field_count”: 34,
“validation_errors”: “”,
“fields_entries”: [
{
“WorkstationName”: “Txxxxxxxx”
},
{
“streams”: [
“000000000000000000000001”,
“5ef6151f74f25d31d7335465”
]
},
{
“SubjectUserName”: “-”
},
{
“IpAddress”: “10.xx.xx133”
},
{
“TargetUserName”: “zoxxxxxxxa”
},
{
“TargetUserSid”: “S-1-0-0”
}
],
}

If you want to use user field (for example: IpAddress) use {$message.fields.IpAddress} :
${foreach backlog message}${message.fields.IpAddress}${end}

You need to to use cycle foreach for backlog if you want to use message fields.

Also don’t forgot, that you have to setup number of backlog to 1: in Alerts - Event Definitions - tab Notifications and field Message Backlog, tick the checkbox and set 1.

You can also use same technique in message subject, for example I use this:
User ${foreach backlog message}${message.fields.username}${end} connected to switch ${foreach backlog message}${message.source}${end} from IP ${foreach backlog message}${message.fields.src_ip}${end}

Sadly, that didnt work.

It should definitely work, please:

1. Remove incorrect formated line: {$message.fields.IpAddress} : replace it only with label e.g.: Source IP:
2. Check your Message backlog setting in event definition.
3. And how about message field, it’s printed correctly? I mean after line Last messages accounting for this alert:

Perhaps this can help

and the result (source IP is blank):

— [Event Definition] ---------------------------
Title: Password/Account Spray
Description:
Type: aggregation-v1
— [Event] --------------------------------------
Timestamp:2020-09-02T15:54:21.347Z
Alert Condition Title:
Message:Password/Account Spray: count(IpAddress)=5953.0
Timestamp Processing: 2020-09-02T15:54:21.347Z
Timerange Start: 2020-09-02T15:44:21.347Z
Timerange End: 2020-09-02T15:54:21.346Z
Source IP:
Fields:

How about full message below line — [ Backlog] ------
Is there a full message, or is also empty?

Yes, there is a full message. The bold text is what I want to capture

— [Backlog] ------------------------------------
Last messages accounting for this alert:

{index=graylog_67, message=An account failed to log on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: shxxxxxxxx
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: Cxxxxxxx
Source Network Address: 10.xx.xx.11
Source Port: 63171

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated, fields={Category=Logon, EventType=AUDIT_FAILURE, gl2_remote_ip=132.xx.xx.99, gl2_remote_port=50130, Opcode=Info, IpPort=63171, gl2_source_input=5f15b9109fafc246a67486fa, SeverityValue=4, WorkstationName=Cxxxxxx, SubjectDomainName=-, gl2_source_node=1d506787-485b-4d2f-abfe-be702054b354, SubStatus=0xc000006a, LogonProcessName=NtLmSsp, gl2_accounted_message_size=2086, level=3, Channel=Security, LogonType=3, gl2_message_id=01EH81JDFKVDMPFGPAQX2K8CQ4, SourceName=Microsoft-Windows-Security-Auditing, Severity=ERROR, EventReceivedTime=2020-09-02 12:34:23, SourceModuleName=eventlog, SubjectUserName=-, full_message=An account failed to log on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: S-1-0-0
Account Name: shxxxxx
Account Domain:

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xC000006D
Sub Status: 0xC000006A

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: Cxxxxxx
Source Network Address: 10.xx.xx.11
Source Port: 63171

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated, FailureReason=%%2313, EventID=4625, IpAddress=10.xxxx.xxx.11, TargetUserName=shxxxxxxx, TargetUserSid=S-1-0-0}, id=ec4ca430-ed4a-11ea-81db-506b8d262870, timestamp=2020-09-02T18:34:22.000Z, source=DC-PRD-01.xxxxxxx.edu, stream_ids=[5ef6151f74f25d31d7335465, 000000000000000000000001]}

IP ${foreach backlog message}${message.fields.IpAddress}${end}

If change to this, without foreach part, it works or not?
IP ${message.fields.IpAddress}

Doesnt, tried that first already.

You highlighted little odd line, it’s from message field, but it can only work in email template if IP address is only from extracted field. Please also check that you don’t use parameters in event definition…

We may have it the way we want finally. It was like @shoothub had originally combined with grouping by IPAddress as well.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.