I have a sample log message as follows, where the parameters in bold are the ones I want to extract and send via email notification:
A member was removed from a security-enabled global group.
Subject:Account Name: my.username
Member:Account Name: CN=My User,DC=mydomain,DC=local
Group:Group Name: TEST Group
I already have existing field names as below for the above parameters:
MemberName: CN=My User,DC=mydomain,DC=local
SubjectUserName: my.username
TargetUserName: TEST Group
1 Like
gsmith
May 1, 2021, 4:33am
2
@linden06
Hello,
Maybe I can help you. Are you looking for something like this?
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
User: ${message.fields.TargetUserName}
WorkStaion Name: ${message.fields.WorkstationName}
Event Time: ${message.fields.EventReceivedTime}
Source: ${message.source}
Logon Type: ${message.LogonType}
User SID: ${message.SubjectUserSid}
Account Name: ${message.AccountName}
Account Type: ${message.AccountType}
--- [Backlog End] ------------------------------------
If thats incorrect have you seen this?
Alerts — Graylog 4.0.0 documentation .
Hope that helps.
2 Likes
I will try this out and let you know. Also, while I did see the documentation you provided, I didn’t see documentation on the syntax you’re using. Where may I find more info on the message syntax?
linden06
May 1, 2021, 10:14pm
4
Hi @gsmith , I setup my email notification as:
--- [Event Definition] ---------------------------
Title: ${event_definition_title}
Description: ${event_definition_description}
Type: ${event_definition_type}
--- [Event] --------------------------------------
Timestamp: ${event.timestamp}
Message: ${event.message}
Source: ${event.source}
User: ${message.fields.TargetUserName}
Workstation Name: ${message.fields.WorkstationName}
Event Time: ${message.fields.EventReceivedTime}
Source: ${message.source}
Logon Type: ${message.LogonType}
User SID: ${message.SubjectUserSid}
Account Name: ${message.AccountName}
Account Type: ${message.AccountType}
However, when I receive the email alert, the fields as User, Workstation Name, etc, appear as blanks. The logs are being received as GELF UDP from a Windows domain controller.
--- [Event Definition] ---------------------------
Title: Security Group Management
Description:
Type: aggregation-v1
--- [Event] --------------------------------------
Timestamp: 2021-05-01T21:49:50.000Z
Message: Security Group Management
Source: graylog
User:
Workstation Name:
Event Time:
Source:
Logon Type:
User SID:
Account Name:
Account Type:
shoothub
May 3, 2021, 8:18am
5
You need to use loop foreach -> end if you want to use fields from message like @gsmith suggested.
--- [Event] --------------------------------------
Timestamp: ${event.timestamp}
Message: ${event.message}
Source: ${event.source}
${foreach backlog message}
User: ${message.fields.TargetUserName}
Workstation Name: ${message.fields.WorkstationName}
Event Time: ${message.fields.EventReceivedTime}
Source: ${message.source}
Logon Type: ${message.LogonType}
User SID: ${message.SubjectUserSid}
Account Name: ${message.AccountName}
Account Type: ${message.AccountType}
${end}
https://docs.graylog.org/en/4.0/pages/alerts.html#data-available-to-notifications
2 Likes
Hi @shoothub , yes, the foreach → end was what I needed to see the fields from the message log.
Under Alerts > Event Definitions, on the edit page for the Event Definitions, I also enabled the Message Backlog to 5 messages.
Thanks everyone for your replies.
1 Like
system
May 22, 2021, 2:44am
7
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
