Getting wrong values in graylog

saleemullah.m1942 · August 23, 2023, 7:50pm

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

Am configuring to send Alerts from graylog to slack using events & notifications

2. Describe your environment:

OS Information: on kubernetes
Package Version: 5.1

3. What steps have you already taken to try and solve the problem?

have tried multiple templates from ChatGPT & Community docs, but nothing working

4. How can the community help?

Can you help with the Custom Message Template in notifications to send message on slack.
I want to send all logs which alerts to slack, with message, source
Can you explain why backlog is required? can’t we send all live event logs to slack without backlog? if backlog is required, then how to send live data? am getting empty out put on event.message field & graylog ip in event.source

drewmiranda-gl · August 24, 2023, 7:39pm

Can you share your custom message? Here is the default that i see in my graylog instance:

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Event Fields:
${foreach event.fields field}
${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message.timestamp}  ::  ${message.source}  ::  ${message.message}
${message.message}
${end}${end}

Note that if you do want message content to be included you do need to enable message backlog and choose the number of messages to include:

The fields allow graylog to add attributes from the original message into the alert message. For example, if you have an alert for password failure, you can add the username to the alert. To do this is a tad confusing but you add fields and configure “set value from” to template and set the field using ${source.fieldname} where fieldname is the name of the field in the original message that triggered the event/alert.

To answer your questions specifically:

Can you explain why backlog is required?
- thats just how the software is coded. Backlog allows the message themselves to be included in the alert notification.
can’t we send all live event logs to slack without backlog?
- no. if the backlog is not used, the messages will not be sent via the alert notification
if backlog is required, then how to send live data
- see above, you can use both backlog as well as fields

Hope that helps.

system · September 7, 2023, 7:40pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Alert Custom Message Template - Trying to use other Backlog message fields Graylog Central (peer support)	5	2090	April 9, 2021
Slack Webhook the message is the event name and the source is incorrect Graylog Central (peer support) alert	7	743	February 18, 2022
Graylog 4.0.6 Event Notification not working properly Graylog Central (peer support)	5	1601	May 6, 2021
Slack notification not containing backlog message fields Graylog Central (peer support)	3	218	May 24, 2023
Backlog grouped into one event notification Graylog Central (peer support)	1	287	January 1, 2021

Getting wrong values in graylog

Related Topics