eyelink
May 28, 2020, 1:26pm
1
Hi,
I tried to customize notification template variables collected through winlogbeat collector but with no luck:
This is an example of what I would like to receive by mail:
{message.fields}
{message.fields.full_message}{message.fileds.source}
Message Fields: {message.fileds}{message.fileds.timestamp}
Message Fields winlogbeat_event_data_IpAddress: {message.fileds.winlogbeat_event_data_IpAddress}
from none of the above variables I receive a data…
whats wrong with that?
Is there a way to see what variables can I use to be notified by mail?
Thanks for your help
jan
June 2, 2020, 6:31am
2
he @eyelink
what Graylog version are we talking about?
Did you checked the documentation?
eyelink
June 3, 2020, 3:00pm
3
Sure I have! but I cannot find any help for this topic
Version is Graylog 3.2.4+a407287 on graylog (Oracle Corporation 1.8.0_191 on Linux 4.15.0-46-generic)
Thanks
jan
June 4, 2020, 6:19am
4
please re-read the part of alerting with attention to the backlog
https://docs.graylog.org/en/3.2/pages/alerts.html
this will answer your question and if not, please return.
eyelink
June 4, 2020, 4:08pm
5
Thanks for your reply.
I’m sorry but I still cannot find a way to achieve my goal…
What I’m trying to do is get an alert triggeder by an event (and this is ok) with some more information that the stardard notification template.
For example the message fields contained in the log entry so for example source ip address, destination ip address, user logon name and so on.
Those informations are collected by winlogbeat at the moment.
Thanks for your help
At the moment could be ok to attach the whole message to the notification…but I cannot do that as well.
here’s the template I’m using ('ve cleared variables that didn’t work)
— [Event Definition] ---------------------------{event_definition_title}
Description: {event_definition_description}{event_definition_type}
--- [Event] --------------------------------------
Timestamp: {event.timestamp}{event.message}
Source: {event.source}{event.key}
Priority: {event.priority}{event.alert}
Timestamp Processing: {event.timestamp}{event.timerange_start}
Timerange End: {event.timerange_end}{foreach event.fields field} {field.key}: {field.value}
{end}
{if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
{foreach backlog message}{message}
{end}
thanks for your help
jan
June 5, 2020, 8:00am
6
— [Event Definition] ---------------------------
Title: {event_definition_title}
Description: {event_definition_description}
Type: {event_definition_type}
--- [Event] --------------------------------------
Timestamp: {event.timestamp}
Message: {event.message}
Source: {event.source}
Key: {event.key}
Priority: {event.priority}
Alert: {event.alert} T
imestamp Processing: {event.timestamp}
Timerange Start: {event.timerange_start}
Timerange End: {event.timerange_end}
Fields:
{foreach event.fields field} {field.key}: {field.value} {end}
{if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
{foreach backlog message}
{timestamp} - {source} - {message}
{end}
as an example above
shoothub
June 10, 2020, 1:13pm
7
You have to setup number of backlog to 1: in Alerts - Event Definitions - tab Notifications and field Message Backlog , tick the checkbox and set 1.
Message backlog define number of messages to be included in Notifications.
Source in default template for notification use {event.source}, which is source of event, not a source device.
If you want device source included in notification message use:${foreach backlog message}${message.source}${end}
If you want to use user field (for example: src_ip) use {$message.fields.src_ip} : ${foreach backlog message}${message.fields.src_ip}${end}
For example I use this message text after somebody connect to switch: {foreach backlog message} Source device: {message.source} Username: {message.fields.username} IP: {message.fields.src_ip} ${end}
You can also use same technique in message subject, for example I use this:User ${foreach backlog message}${message.fields.username}${end} connected to switch ${foreach backlog message}${message.source}${end} from IP ${foreach backlog message}${message.fields.src_ip}${end}
Hope it helps.
5 Likes
eyelink
June 11, 2020, 7:43pm
8
you solved my graylog life!
thanks for your reply now I can finally achieve my goal.
Thanks for your help
system
June 25, 2020, 7:43pm
9
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
