Hey @michmoor0725
Think I understand your Question, Correct me if I’m wrong.
You want to use the Notifcation template to get separate fields in your Email.
Example:
Windows System has been shutdown by a process/user" Notification
--- [Event Definition] ---------------------------
Title: ${event_definition_title}
Description: ${event_definition_description}
Type: ${event_definition_type}
--- [Event] --------------------------------------
Timestamp: ${event.timestamp}
Message: ${event.message}
Source: ${event.source}
Key: ${event.key}
Priority: ${event.priority}
Alert: ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start: ${event.timerange_start}
Timerange End: ${event.timerange_end}
Fields:
${foreach event.fields field} ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message.fields.TargetUserName}
${message.fields.WorkstationName}
${message.fields.EventReceivedTime}
${message.fields.source}
Message Link: https://graylog.domain.com:9000/messages/${message.index}/${message.id}
${end}
${end}
So what I have is, the fields called TargetUserName, WorkstationName, EventReceivedTime,source. only that info will be sent
Also, I have a URL that will take you to the Message.
Message Link: https://graylog.domain.com:9000/messages/${message.index}/${message.id}
You needs to have these fields created prior to configuring the notification, the source field should be there already as shopwn below:
These Fields were created by using GELF TCP/TLS but some device will not be able to use GELF type for an input.
If this is the case then probably the easiest way would to use. Extractor or GROK.Then maybe later start using pipeline.
For example here is a REGEX extrator to get traffic type from my firewall logs
Hope that helps
EDIT: @michmoor0725
I forgot to mention the notification template you posted the timestamp section is incorrect. should be something like this…
This is just the bottom part of the notification template shown.
Fields:
${foreach event.fields field} ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
Login Alert: ${message.fields.full_message}
Timestamp: ${message.timestamp}
useradded: ${message.fields.useradded}
${end}
${end}
Results:
