Getting wrong values in graylog

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

Am configuring to send Alerts from graylog to slack using events & notifications

2. Describe your environment:

  • OS Information: on kubernetes

  • Package Version: 5.1

3. What steps have you already taken to try and solve the problem?

have tried multiple templates from ChatGPT & Community docs, but nothing working

4. How can the community help?

Can you help with the Custom Message Template in notifications to send message on slack.
I want to send all logs which alerts to slack, with message, source
Can you explain why backlog is required? can’t we send all live event logs to slack without backlog? if backlog is required, then how to send live data? am getting empty out put on event.message field & graylog ip in event.source

Can you share your custom message? Here is the default that i see in my graylog instance:

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Event Fields:
${foreach event.fields field}
${field.key}: ${field.value}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message.timestamp}  ::  ${message.source}  ::  ${message.message}

Note that if you do want message content to be included you do need to enable message backlog and choose the number of messages to include:

The fields allow graylog to add attributes from the original message into the alert message. For example, if you have an alert for password failure, you can add the username to the alert. To do this is a tad confusing but you add fields and configure “set value from” to template and set the field using ${source.fieldname} where fieldname is the name of the field in the original message that triggered the event/alert.

To answer your questions specifically:

  • Can you explain why backlog is required?
    • thats just how the software is coded. Backlog allows the message themselves to be included in the alert notification.
  • can’t we send all live event logs to slack without backlog?
    • no. if the backlog is not used, the messages will not be sent via the alert notification
  • if backlog is required, then how to send live data
    • see above, you can use both backlog as well as fields

Hope that helps.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.