hi, i am new to graylog, I have installed the system and it is ingesting logs without issue. i am setting up some basic alerts but i am confused on how to include message data in an alert log. i am using sidecar with winlogbeat. I have created an alert for “locked out user” and i would like to include
winlogbeat_winlog_event_data_TargetUserName
in the alert message…how do i do that?
thanks
I think it would look like this:
${foreach backlog message}
${message.fields.winlogbeat_winlog_event_data_TargetUserName}
{end}
I don’t recall the explanation off -hand (at home, all the cool stuff is at work) but this should pull the data from all messages within your backlog time period.
thanks, i will give this a shot
ok, i put this in the message:
and the email gave me this:
but when i go to the logs, i see this:
so that did not seem to work…but the data is in the log…
can anyone point out what i am doing wrong?
thanks in advance
That is the format I have in my subject line and it works just fine… What version of Graylog are you on? The only difference I can see is mine does not have spaces. Here it is verbatim:
ALERT: ${foreach backlog message}${message.fields.details_event}${end}
hi, i am running a new install of 4.2.8. I have cut/pasted your example and substituted like so:
ALERT: ${foreach backlog message}${message.fields.winlogbeat_winlog_event_data_TargetUserName}${end}
i don;t see a difference, but i am hoping this will work, i am waiting for the event to occur for a test.
is there something “special” about the variable that it needs to be treated differently? I have been doing a lot of searching, i see in some posts people use $$ instead of $…do you know why?
thanks
so, it did not take long and this did not work…
after the word ALERT, should be the value in targetuser
ugg!
ug, ok, i figured out my issue, i missed this step in creating the event. I had the number of backlog messages set to 0, so …of course… there were no messages to pull variables from
thanks for everyones help
Great! Thanks for posting a solution for future searchers! 
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
