Good morning, I have Email alerts setup and working. But would like more information in the alerts. For example, the following message when logged would trigger an e-mail.
“error: maximum authentication attempts exceeded for invalid user hacker from X.X.X.X”
I would like to include the user (hacker) and IP (X.X.X.X) in the email, but am not sure how.
Thank you, Zach.
Edit: I would also be OK with just including the full message in the Email.
I’m reading this: Alerts — Graylog 4.0.0 documentation and just not getting it…
Hey @dickinsonzach, it is the ‘lazy’ way but I always just include the message in the email alert as a payload. (enable message backlog)
If there’s some reason you don’t want to do that like there’s other information in the message that you don’t want some alert recipients to see, you could set up an extractor that pulls the pertinent information into custom fields and then include those in your email message.
I ended up “getting it”. I made one alert that searched for a few different login failures. Then I made custom fields in that alert for Message and Source. Then in the Notification, I referenced them using {event.fields.Msg} and {event.fields.Src} Msg and Src being the custom fields I setup earlier.
Src was {source.source} Msg was {source.message}
Working well!
Check my previous post about this:
Thank you, that’s great info.
What do you mean by “source of event, not a source device”. In my case they seem to be the same.
Thank you, Zach.
Event has also source, which is source of event {event.source}. But if you want to show source of message (source device sending logs), you should use ${message.source}
Understood, thank you.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
