Email fails to have any data in it

I am running Graylog 6.3.1+7bd8532 Open
I am trying to send email alerts for failed login and host computer name.
I have spent a serious amount of time using various combinations trying to get an email sent with both bits of information, I am using winlogbeat on my servers no sidecar, manual install.

In the input show received message I can see

“winlogbeat_host_name”: “hostxx”,
“winlogbeat_agent_name”: “hostxx”,
“winlogbeat_host_hostname”: “hostxx”,

but I do not get any information in the email
A “Failed Logins” event was triggered for a user on a specific server.

---

Event Details

---

Username: 

Server Hostname: 

Number of failed attempts:  in the last 5 minutes.

However in alert there is all the information that should be added to the email.

I have attached a screenshot.

Does anyone know if there is a bug with sending the email with the following
winlogbeat_winlog_computer_name
winlogbeat_winlog_event_data_TargetUserName

the data in alert2000×262 18.7 KB

Hey @smithsteve,

Are these fields accounted for within the email template?

Yes I tried in the Body and in HTML body, I am struggling to get to grips with this, I have tried another approach with streams and i can see the data when I perform a load message I get the 2 green bars to confirm the naming and data are valid.

Do you know of a good site or a youtube channel that covers this I think I am close just not exactly correct

Hello @smithsteve,

There is a free course on the subject that can be found here.

The only fields available as event meta data (${foreach event.fields field} ${field.key}: ${field.value} ${end}) are those passed through as custom fields. In your case that is winlogbeat_winlog_computer_name etc, if you wanted to utilise fields from the actual message that triggered the alert then you should be using the backlog.

${foreach backlog message} ${message} ${end}

Hi Wine_Merchant

thank you for the link I will have a look
I think I have it working I do get an alert now

Here is the Email Body

— [Event Definition] --------------------------- Title: ${event_definition_title} Description: ${event_definition_description} Type: ${event_definition_type} — [Event] -------------------------------------- Alert Replay: ${http_external_uri}alerts/${event.id}/replay-search Timestamp: ${event.timestamp} Message: ${event.message} User: ${event.fields.winlogbeat_winlog_event_data_TargetUserName} Server: ${event.fields.source} Source IP: ${event.fields.winlogbeat_winlog_event_data_IpAddress} Source: ${event.source} Key: ${event.key} Priority: ${event.priority} Alert: ${event.alert} Timestamp Processing: ${event.timestamp} Timerange Start: ${event.timerange_start} Timerange End: ${event.timerange_end} Fields: ${foreach event.fields field} ${field.key}: ${field.value} ${end} ${if backlog} — [Backlog] ------------------------------------ Last messages accounting for this alert: ${foreach backlog message} ${message} ${end} ${end} ${“//”-}

So I have the key fields and I have managed to get this output now
Username and Host id
UserLoginFailure: get.data|hostid - count()=7.0

Alert

true

Timestamp Processing

2025-08-09T10:08:00.320Z

Timerange Start

2025-08-09T10:03:00.320Z

Timerange End

2025-08-09T10:08:00.320Z

Source Streams

000000000000000000000001

Fields

• Faileduserlogin:

• Failedloginserver:

  While not being pretty I think its a valid alert

Hey @smithsteve,

That’s looking correct! Thanks for following up with an answer.