How to customize my backlog message?

ericwu · March 10, 2022, 2:00am

Version : 4.2.7

Message Template as below :


日志報錯 : ${event_definition_title}
描述 : ${event_definition_description} 
時間 : ${event.timestamp}
內容 :
${if backlog}
${foreach backlog message}
${message}
=========================
${end}
${end}

My original log message as below :

My question is :
When I got alert from telegram, the backlog will show too many fields that I do not need.
like this :
fields={gl2_accounted_message_size=652, level=5, gl2_remote_ip=10.140.0.127, gl2_remote_port=43884, facility_num=1, gl2_message_id=01FXRRP2QS7YARCETQR5KV91CC, gl2_source_node=9fd0b2a9-07f8-403f-86e1-455b935157bc, gl2_source_input=6228707e963f950ddc47a84d, facility=user-level}, id=5addde90-a015-11ec-b866-42010a8c00c7, source=10.140.15.239, stream_ids=[62287223963f950ddc47aaa6]}

How can I delete or modify this in backlog ?
Any idea?

gsmith · March 10, 2022, 2:39am

Hello && Welcome @ericwu

To removed the backlog messages it will be this section. This all can be done on the Notification Template.

${message}

From here

${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message}
${end}

If you’re only using Body Template and depending on what fields are generated the configuration could look something like this. I have modified it to only grab what fields I wanted to see.

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Stream URL:           ${event.stream_name}          
${if stream_url}Stream URL: ${stream_url}${end}

${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
User:             ${message.fields.TargetUserName}
WorkStation Name: ${message.fields.WorkstationName}
Event Time:       ${message.fields.EventReceivedTime}
Source:           ${message.source}
Logon Type:       ${message.LogonType}
---[backlog end]---------------------------------
${end}
${end}

The gl2_* can be used, I’m not sure if you have those other ones, if not you may need to create them (extractors/pipelines) or use a different format ( i.e. GELF).

ericwu · March 10, 2022, 3:07am

Thanks a lot @gsmith .

so if I want delete the “gl2_*” section on my alert message.
The only way is create textractors/pipelines or use a different format ?

gsmith · March 10, 2022, 3:16am

Hello

The gl2_ * is part of Graylog.

I was referring to adding not deleting fields.

If this is just for the email notifications what you do is remove ${message} from the notification template and just add your own fields needed, should be good.

ericwu · March 10, 2022, 3:36am

@gsmith
My alert message include two section
one is : the original log message
two is : gl2_* section
I’ve tried to remove ${message} but the telegram will show nothing.
How can I do to only send “one” section to telegram alert ?

gsmith · March 10, 2022, 3:55am

Hello,

What you showed above looked like for Email notification not telegram. To be honest not sure what you have configured. I was suggesting to Email notification template configuration. So I assume you using something different?

I haven’t seen that before , and again I assume your talking about this template ?

Or this template?

ericwu · March 10, 2022, 5:35am

@gsmith Thanks for your help
Actually, I used telegram plugin for notification.
As below :

I think the message template as same as the mail notification.
Am I right ?

gsmith · March 10, 2022, 5:51am

Hello,

Oh I understand now.

Some of the macros (i.e. ${message}) are the same. To be honest I haven’t used that plugin. You maybe missing some type of configuration that gets read my Telegram plugin but Im not 100% sure

Have you seen this?

GitHub - irgendwr/TelegramAlert: 🔔 Telegram Notification Plugin for Graylog

What I do know is this section will send your backlog message.

${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message.message}

Like I said I haven’t use that Plugin, but maybe someone else here has. If I have time I might be able to test this out later.

ericwu · March 10, 2022, 5:54am

@gsmith
I am thankful for your assistance.

gsmith · March 10, 2022, 10:29pm

Hello,
I notice another member @tomasi was using Telegram, Perhaps he maybe able to help.
He posted here

system · March 24, 2022, 10:30pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Alert Custom Message Template - Trying to use other Backlog message fields Graylog Central (peer support)	5	2075	April 9, 2021
Events fields & notifications Graylog Central (peer support)	2	2379	February 20, 2020
[REQ] Help to customize the body of the email Alarm Notification Graylog Central (peer support)	9	1399	April 18, 2022
Notification email backlog blank despite enabled Graylog Central (peer support)	3	2238	September 14, 2020
Problem with backlog message Graylog Central (peer support)	24	4179	May 3, 2021

How to customize my backlog message?

Related Topics