Alert Scripts - Script Arguments - Field Format

tmacgbay · October 5, 2022, 7:55pm

I posted about this before but I still don’t have a solution - I have narrowed it down to what parameters are put in for script arguments in Graylog. If I put static information on the script Arguments Line, the script itself runs. What I need is the correct way to put in parameters based off of fields in the alert.

Has anyone passed in field data via Script arguments on an Alert Notification?

The metadata on the Script Argument Line is:

<UserName> <WorkstationName> <UserEmail> <Event Time>

If I put in static information like:

"tmacgbay" "Batcave-PC2" "Robin@batcave.com" "10-5-22"

then the outcome is as expected where Robin@batcave.com will receive an e-mail

I have tried the following that would pull data from the alerted on message

"${event.fields.winlog_event_data_TargetUserName}"   "${event.fields.winlog_event_data_TargetDomainName}" "${event.fields.user_email}"  "${event.fields.event_created}"

Or having it look more like the documentation (taking out the .fields.)

"${event.winlog_event_data_TargetUserName}"   "${event.winlog_event_data_TargetDomainName}" "${event.user_email}"  "${event.event_created}"

I have also tried removing the quotes…

If you have an example of using Alerts Scripting and passing parameters, can you post it here?

gsmith · October 5, 2022, 10:25pm

Hey,

I just started my GL operation docker server back up. I think I can test this out.`

tmacgbay · October 6, 2022, 1:45am

Where do I send the coffee?

gsmith · October 6, 2022, 2:27am

Ok so I have a slight problem, I’m using Docker Enterprise image and through in the Default example of Graylog alert script from the doc’s.

Jumping through hurdles right now. Permission issues, unable to locate script issues. TBH it is a good leaning lesson

gsmith · October 7, 2022, 10:27pm

@tmacgbay
I’ve been banging at it, so far I’m at this point.

Error: Script invocation failed: [Cannot run program "/usr/share/graylog/scripts/alert_script.py" (in directory "/usr/share/graylog/scripts"): error=13, Permission denied]

Adjust the permissions, added the X bit on the file. made sure Graylog had access to it.

I’m using Docker which I not so good at it for troubleshooting.
Never used Script to send mail.

Bonus, I’m learning

This might have to do with Python and access the docker container, not sure thou

tmacgbay · October 8, 2022, 12:02am

If I put static data for the fields it runs fine and sends the e-mail. But ${event.fields.event_time} and the like don’t work. I did change the script a bit since first post, I will put that in when I get to a computer.

Hope you Friday night is fun!

gsmith · October 8, 2022, 12:12am

thanks Tad,
yeah I cant wait to get home tonight. to much is going on here and I’m tired of looking at server lights and little black boxes

system · October 22, 2022, 12:12am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Script arguments for script notification Graylog Central (peer support) script	5	493	August 7, 2023
Send email alert by script deriving recipient from message field Miscellaneous alert	1	673	February 14, 2022
Extracting Message Parameters to Alert Emails Graylog Central (peer support)	6	1200	May 22, 2021
Unable to get events fields on notifications Graylog Central (peer support)	3	599	January 29, 2021
Displaying GELF Windows Event Log fields into the alert notification Graylog Central (peer support)	2	1445	June 8, 2018

Alert Scripts - Script Arguments - Field Format

Related Topics