Graylog 4.0.6 Event Notification not working properly

Graylog Central (peer support)
1

Hello everyone,

we are using a single node Graylog and had the version 4.0.5.
We had an email notification with following body template:

------------------- [Notification] -----------------------

Title:                ${event_definition_title}
Timestamp:            ${event.timestamp}
${if backlog}

 

Alert:
${foreach backlog message}
Message: ${message.message}
Source: ${message.source}
Timestamp: ${message.timestamp}
${end}
${end}
------------------ SENT VIA GRAYLOG ----------------------

It worked perfectly as seen below (This was the e-mail I got):


------------------- [Notification] -----------------------

Title:                System-Prod-Info-Finished
Timestamp:            2021-04-19T10:43:01.218Z


Alert:
Message: System finished.
Source: myserver.company.com
Timestamp : 2021-04-19T10:43:01.218Z


------------------ SENT VIA GRAYLOG ----------------------

After updating to graylog 4.0.6 it only sends the following and ignores the backlog:
Everything after $(if backlog) is empty.

------------------- [Notification] -----------------------

Title:                System-Prod-Info-Finished
Timestamp:            2021-04-21T10:00:01.218Z

Iā€™ve seen that there was a change:

How can I fix my problem?
Thanks in advance

2

@researchdc

Hello and Welcome.
FYI when you have Code, Configuration, Logs, Shell Output should be formatted with surrounding three backticks (```).

This makes your config files and/or logs easier to read. You can find more here Format topics with Markdown
Thank you.

Correct me if Iā€™m wrong, but your issue is missing Event Definition Metadata?
Iā€™m running GL 4.0.6 which was upgrade from 4.0.5, but I havenā€™t run into notification issues yet.
Have you tried recreating the Notification template again and reattaching to the Event Definition?
Does your Notification template look something like this?

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message}
${end}
${end}
3

Hello gsmith,
thank you for your answer.
You understood my problem correct: the metadata of the event definition is gone, since the last update.
I recreated the Notification template, and even if I use the standard template, I donā€™t get the information.

Even if I use your template,(which seems to be exactly like the one when I create a new notification) I get the info, but I donā€™t see anything after ${if backlog}. It just doesnt exist.

Edit:
If I remove the ${if backlog} and ${foreach backlog message} and just use Message: ${message.message} it is just empty. If I use Message: ${event.message} I receive the name of the event definition, but not the log-message I was expeting.

4

SOLVED: I found my error: I removed the checkbox in the event definition at ā€œNotification ā†’ Message Backlogā€. Iā€™ve clicked the checkbox again with a value of 50 (the Number of messages to be included in Notifications.) Now I am receiving my messages again.

Thank to everyone who tried to help me!

1 Like
5

@researchdc
Iā€™m glad you solved it, I just read you post and was going to tell you about event definition check box.

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.