I have a graylog server for firewall.
now I create a new alert with email notice.
The alert is group by source IP, and when the count of messages is more than 100, Graylog will send an email to me.
I received email with the the source IP and count for message, but no destination IP.
I try to set [Message Backlog], but the [Message Backlog] in email is not matching for the grouped by source IP, but on matching for the Search Query.
@Duyanhui333 You can use a custom field for destination IP in the field tab of the Event definition. Also, take look at below documentation link for your reference before making any changes.
https://docs.graylog.org/en/3.3/pages/alerts.html#fields
Hope this helps you 
Thank you for your help.
When I create the event ,I set Group By src and count()>100. I use custom field for src. But if the alert is noticed the there will be more than 100 destination IP. I think custom field is for only one destination IP. Is there any way to display all of the destination IPs?
@Duyanhui333 Custom field includes additional information on events generated from Even definition. This will help you to search for events or more context information while receiving notification.
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.