Hi,
I need some help to parse the current/triggered message details via email alert notification.
Environment:
Graylog: 3.1.2+9e96b08
Elastic: 6.8.3-1
Mongodb: 4.0.12-1
Graylog Usage:
One of the business cases of our Graylog adoption is to replace Kiwi Syslog alert for messages received from our Cisco Switch/Router hardware. Kiwi Syslog would send an email whenever a user attempted to access a device containing timestamp, device name and username.
Issue:
Alert Notification has been setup and emails are being received. But the content does not reveal the triggered message. Any variables that are outside the backlog section do not populate and messages that are in the backlog is from the previous attempt earlier in the day.
Example:
User A logs on to a switch A at 10:32am (Email sent but with previous attempt information)
User B logs on to switch a at 14:32pm (Email sent but with the 10:32am details populated)
Email Notification Settings:
— [Event Definition] ---------------------------
Title: {event_definition_title}
Description: {event_definition_description}
Type: ${event_definition_type}
— [Stream] ---------------------------
Stream ID: {stream.id}
Stream: {stream_name}
{if stream_url}Stream Url: {stream_url}${end}
— [Event] --------------------------------------
Timestamp: {event.timestamp}
Message: {event.message}
Source: {event.source}
Key: {event.key}
Priority: {event.priority}
Alert: {event.alert}
Timestamp Processing: {event.timestamp}
Timerange Start: {event.timerange_start}
Timerange End: {event.timerange_end}
Fields:
{foreach event.fields field} {field.key}: {field.value}
${message}
{end}
{if backlog}
— [Backlog] ------------------------------------
Last messages accounting for this alert:
{foreach backlog message}
{message}
{end}
{end}
Message Example:
Email Timestamp: 15:14pm
— [Event Definition] ---------------------------
Title: Failed Cisco Authentications Event
Description:
Type: aggregation-v1
— [Stream] ---------------------------
Stream ID:
Stream:
— [Event] --------------------------------------
Timestamp: 2019-09-26T10:00:36.271Z
Message: Cisco Authentications Event
Source: graylog1.
Key:
Priority: 2
Alert: true
Timestamp Processing: 2019-09-26T10:00:36.271Z
Timerange Start:
Timerange End:
Fields:
— [Backlog] ------------------------------------
Last messages accounting for this alert:
{index=graylog_2, message=Sep 26 10:00:36.305: %SYS-5-CONFIG_I: Configured from console by on vty0 (), timestamp=2019-09-26T10:00:36.271Z, fields={sequence_number=3391, level=5, gl2_remote_ip=, gl2_remote_port=56627, gl2_message_id=01DNPG7TNJ57NKT1KH0J68GD53, gl2_source_node=0d4b0e3f-2406-4133-bfa8-190fb149c157, gl2_source_input=5d7f70d09158b71067979e91, facility=local7}, id=7c8093f0-e044-11e9-a159-005056b90156, source=:, stream_ids=[5d7f54529158b71067977779, 5d7f54529158b71067977769, 5d7f54519158b71067977761]}
Additional Settings:
Stream: Single stream attached to input syslog on port 5140
Search within the last: 1second
Execute search every:1second
Create Events for Definition if: Filter has results
No Custom Fields
Grace Period: Unticked
Message Backlog: 1
Currently if this was a suspicious user attempt on a core switch we would not be alerted to until the next trigger.
Thanks in advance