I’m on new on Graylog and i’m having some issues with notifications, i have created a telegram notification and it’s working without problem, today two devices (firewall and AD DC) are sending information to graylog, one has the field ‘message’ and the other ‘full_message’, i don’t no why i can’t create two notifications with same configuration so what i would like to now is if it’s possible to use a condition like to use ‘message’ or ‘full_message’, i did a test wiht:
first it would be nice to know which Graylog version are you using?
Second - I would start normalizing your data. Means cut/split/extract the information you really want into seperate fields that you know and control. Those fields can then be used in the notification for more detailed/better messages.
Sorry, My graylog version is “Graylog 3.1.3+cda805f on server (Private Build 1.8.0_232 on Linux 5.0.0-37-generic)”
Answering your second question, i was able to use a pipeline rule to remove the field message and rename the field full_message to message, this ‘solved’ the problem…
Out of curiosity, whats is the best prectice here, i would need to create one notification for each ‘subject’ (in other words, one notification for each ‘event definition’) ?
you have multiple options and what the best for your environment is, I can only guess.
But I would use processing pipelines to identify the events I want to be alerted on, create a new field for that and use the alerting and watch for this new created field.
This way you can use the complete power of the processing pipeline to identify the events you want to be alerted on. Even extract data on on specific events to have that separate for search and notifications.
