Graylog does not send one type of log to an email

Hello. I have set up e-mail notifications with the most important logs on my graylog. I have three streams and everything works fine, but I don’t get information when the server shuts down unexpectedly. In the stream rules I have a level lower than 3 and three rules about excluding sources that are not interesting to me.

graylog_11913×943 173 KB

Until then, everything works fine. As you can see in the picture (red frame), the logs go to the stream I created. And now something strange is happening. I get logs 2 and 3 by e-mail, but not 1. I don’t know if it matters, but it is a log about unexpected shutdown and it is more important to me than the other two. At first I thought it was a one-off, but today it happened again.
Graylog runs on ubuntu (virtual machine). Thanks for help

Hello && Welcome @jacopo097

What I see is, the logs go into the stream Logs Server, to help resolve this issue could you post how you setup you Event Definition and/or Notification Template for this alert?

No problem

graylog-41666×934 90.5 KB

Body Template

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message}
${end}
${end}

HTML Body Template

<table width="100%" border="0" cellpadding="10" cellspacing="0" style="background-color:#f9f9f9;border:none;line-height:1.2"><tbody>
<tr style="line-height:1.5"><th colspan="2" style="background-color:#e6e6e6">Event Definition</th></tr>
<tr><td width="200px">Title</td><td>${event_definition_title}</td></tr>
<tr><td>Description</td><td>${event_definition_description}</td></tr>
<tr><td>Type</td><td>${event_definition_type}</td></tr>
</tbody></table>
<br /><table width="100%" border="0" cellpadding="10" cellspacing="0" style="background-color:#f9f9f9;border:none;line-height:1.2"><tbody>
<tr><th colspan="2" style="background-color:#e6e6e6;line-height:1.5">Event</th></tr>
<tr><td width="200px">Timestamp</td><td>${event.timestamp}</td></tr>
<tr><td>Message</td><td>${event.message}</td></tr>
<tr><td>Source</td><td>${event.source}</td></tr>
<tr><td>Key</td><td>${event.key}</td></tr>
<tr><td>Priority</td><td>${event.priority}</td></tr>
<tr><td>Alert</td><td>${event.alert}</td></tr>
<tr><td>Timestamp Processing</td><td>${event.timestamp}</td></tr>
<tr><td>Timerange Start</td><td>${event.timerange_start}</td></tr>
<tr><td>Timerange End</td><td>${event.timerange_end}</td></tr>
<tr><td>Source Streams</td><td>${event.source_streams}</td></tr>
<tr><td>Fields</td><td><ul style="list-style-type:square;">${foreach event.fields field}<li>${field.key}:${field.value}</li>${end}<ul></td></tr>
</tbody></table>
${if backlog}
<br /><table width="100%" border="0" cellpadding="10" cellspacing="0" style="background-color:#f9f9f9;border:none;line-height:1.2"><tbody>
<tr><th style="background-color:#e6e6e6;line-height:1.5">Backlog (Last messages accounting for this alert)</th></tr>
${foreach backlog message}
<tr><td><b>ID:</b> ${message.id}</td></tr>
<tr><td><b>TREŚĆ:</b> ${message.fields.full_message}</td></tr>
<tr><td><b>ŹRÓDŁO:</b> ${message.source}</td></tr>
<tr><td><b>ZNACZNIK CZASU(-1h):</b> ${message.timestamp}</td></tr>
${end}
</tbody></table>
${end}

Hello

Have you tried these settings?

image1875×763 49.2 KB

Then

image921×509 19.7 KB

ok, I’ll check it and let me know if it helped

It’s strange, but now I created a new event definition which I called test, triggered the evxent in windows with the “New-WinEvent -Id 41 -ProviderName microsoft-windows-kernel-power -Version 1” command and I get two messages by email: from the old event definition(from which they did not come before) and from the new one. I’ll leave them both and wait to see what happens.

Oh nice
if you can keep us informed I would like to know what happened

Unfortunately, the same situation repeated that the log about unexpected system shutdown was sent to the stream, but the e-mail was not sent.

I don’t know what the reason is, but the log goes to the stream, but not to Alerts & Events

graylog1265×1037 78.9 KB

Hello,

I have a feeling its the configuration on your Event Definition. Showing your new setting would help. Perhaps we can figure this out or at least troubleshoot the issue.

Hello,

I did a test for you in my lab for better clarity.
Created a stream, Event Definition and Notification.

Example:
Summary of the Event Definition:

image1720×837 45.9 KB

Alerts and Events:

image1831×259 20.4 KB

Email notification:

image985×733 20 KB

Hope that helps

Thanks a lot ! I changed the settings to the same as you and when the server shuts down again, I will let you know if it helped.

graylog1321×808 61.7 KB

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.