Extracting Message Parameters to Alert Emails

I have a sample log message as follows, where the parameters in bold are the ones I want to extract and send via email notification:

A member was removed from a security-enabled global group.

Subject:
Account Name: my.username
Account Domain: MYDOMAIN

Member:
Account Name: CN=My User,DC=mydomain,DC=local

Group:
Group Name: TEST Group
Group Domain: MYDOMAIN

I already have existing field names as below for the above parameters:

  • MemberName: CN=My User,DC=mydomain,DC=local
  • SubjectUserName: my.username
  • TargetUserName: TEST Group
1 Like

@linden06

Hello,

Maybe I can help you. Are you looking for something like this?

     ${if backlog}
     --- [Backlog] ------------------------------------
     Last messages accounting for this alert:
     ${foreach backlog message}
     User:             ${message.fields.TargetUserName}
     WorkStaion Name:  ${message.fields.WorkstationName}
     Event Time:       ${message.fields.EventReceivedTime}
     Source:           ${message.source}
     Logon Type:       ${message.LogonType}
     User SID:         ${message.SubjectUserSid}
     Account Name:     ${message.AccountName}
     Account Type:     ${message.AccountType}
     --- [Backlog End] ------------------------------------

If thats incorrect have you seen this?

Alerts — Graylog 4.0.0 documentation.

Hope that helps.

2 Likes

I will try this out and let you know. Also, while I did see the documentation you provided, I didn’t see documentation on the syntax you’re using. Where may I find more info on the message syntax?

Hi @gsmith , I setup my email notification as:

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}

--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
User:                 ${message.fields.TargetUserName}
Workstation Name:     ${message.fields.WorkstationName}
Event Time:           ${message.fields.EventReceivedTime}
Source:               ${message.source}
Logon Type:           ${message.LogonType}
User SID:             ${message.SubjectUserSid}
Account Name:         ${message.AccountName}
Account Type:         ${message.AccountType}

However, when I receive the email alert, the fields as User, Workstation Name, etc, appear as blanks. The logs are being received as GELF UDP from a Windows domain controller.

--- [Event Definition] ---------------------------
Title:       Security Group Management
Description: 
Type:        aggregation-v1

--- [Event] --------------------------------------
Timestamp:            2021-05-01T21:49:50.000Z
Message:              Security Group Management
Source:               graylog
User:                 
Workstation Name:     
Event Time:           
Source:               
Logon Type:           
User SID:             
Account Name:         
Account Type:

You need to use loop foreach -> end if you want to use fields from message like @gsmith suggested.

--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
${foreach backlog message}
User:                 ${message.fields.TargetUserName}
Workstation Name:     ${message.fields.WorkstationName}
Event Time:           ${message.fields.EventReceivedTime}
Source:               ${message.source}
Logon Type:           ${message.LogonType}
User SID:             ${message.SubjectUserSid}
Account Name:         ${message.AccountName}
Account Type:         ${message.AccountType}
${end}

https://docs.graylog.org/en/4.0/pages/alerts.html#data-available-to-notifications

1 Like