How to get username showing in email notification

Graylog Central (peer support)
1

How do I get the username from the message logs displayed to be in the email so i know who this log is for.

Below is my email Body template but User Name does not work.

— [Event Definition] ---------------------------
Title: ${event_definition_title}
Description: ${event_definition_description}

— [Event] --------------------------------------
Timestamp: ${event.timestamp}
Message: ${event.message}
Source: ${event.source}
User Name: ${message.fields.user}

${if backlog}
Last messages accounting for this alert:
${foreach backlog message}

In the logs the username shows as user=“john.smith”

2

Hi @tor

You need to use foreach loop to extract user field:
${foreach backlog message}${message.fields.user}${end}

For example I use this message text after somebody connect to switch:
${foreach backlog message} Source device: ${message.source} Username: ${message.fields.username} IP: ${message.fields.srcip} ${end}

You can also use same technique in message subject, for example I use this:
User ${foreach backlog message}${message.fields.username}${end} connected to switch ${foreach backlog message}${message.source}${end} from IP ${foreach backlog message}${message.fields.src_ip}${end}

1 Like
3

Thanks for the reply shoothub.

I did this but I did not get any username showing. Is this correct?

— [Event Definition] ---------------------------
Title: ${event_definition_title}
Description: ${event_definition_description}

— [Event] --------------------------------------
Timestamp: ${event.timestamp}
Message: ${event.message}
Source: ${event.source}
User Name: ${message.fields.user}

${if backlog}
Last messages accounting for this alert:
${foreach backlog message}${message.fields.user}
${message}
${end}
${end}

4

so i did it again. With $Username:{message.fields.user}
and it just added at the beginning of the log file
Last messages accounting for this alert:
$Username:{message.fields.user}

5

but no username displayed.

6

Try replace line with:
User Name: ${foreach backlog message}${message.fields.user}${end}

Check also in Notification tab in event definition, that Message Backlog is set to 1. It means: Number of messages to be included in Notifications.

1 Like
7

Hi Shoothub,
So I changed it to what you recommended but I got no username showing. Just shows
User Name: then nothing after it.

8

Please post your entire Body Template you use, because it doesn’t contain some lines from default template:

${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message}
${end}
${end}

Does default template show complete mesage?

9

So I deleted some of the fields because I was getting data in the email that was not relevant.
Default template does show complete message like this one but not the username.

— [Event Definition] ---------------------------
Title: ${event_definition_title}
Description: ${event_definition_description}

— [Event] --------------------------------------
Timestamp: ${event.timestamp}
Message: ${event.message}
Source: ${event.source}
User Name: ${foreach backlog message}${message.fields.User}${end}

${if backlog}
Last messages accounting for this alert:
${foreach backlog message}
${message}
${end}
${end}

10

Hello,

I’m just chimming in. I tested @shoothub suggestion and this worked for us.

Make sure you have the field in your logs that’s called user.

Also…

image
image692×355 15.9 KB

Should be good to go unless you have made another configuration, we don’t know about.

test_user_field 
--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Fields:
${if stream_url}Stream URL: ${stream_url}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message.fields.user}
----------------[End of Backlog]---------------------------
${end}
${end}
11

gsmith thanks for confirming. So this still does not work for me and I do see the field user in my logs.

Does User Name: ${foreach backlog message}${message.fields.user}${end} need to be placed in a specific area in the body of the template? At present its with the —[Events] —
Below is the output from my logfile that gets emailed to me

{index=firewall_5, message=<185>date=2021-07-30 time=15:41:45 devname=“FN-501E-C-1-LDC90-GB” devid=“FG5H1E5819906992” eventtime=1627656105314197521 tz="+0100" logid=“0101039426” type=“event” subtype=“vpn” level=“alert” logdesc=“SSL VPN login fail” action=“ssl-login-fail” tunneltype=“ssl-web” tunnelid=0 remip=999.999.179.99 user=“john.smith” group=“N/A” dst_host=“N/A” reason=“sslvpn_login_permission_denied” msg=“SSL user failed to logged in”, timestamp=2021-07-30T14:41:44.855Z, source=“FN-501E-C-1-LDC98-GB”, stream_ids=[60dc4dee41f57f68bd8cb1de, 60dc4ded41f57f68bd8cb19b, 60dc4ded41f57f68bd8cb1b1], fields={devid=“FG5H1E2819970992”, msg=SSL user failed to logged in, gl2_accounted_message_size=717, gl2_remote_port=4676, gl2_message_id=01FBVXTAX1EFX6RZ4T2G24NTY9, gl2_source_input=60dd82eb41f57f69999e0239, type=“event”, logdesc=SSL VPN login fail, subtype=“vpn”, action=“ssl-login-fail”, gl2_source_node=5b2e83f5-0328-4438-84c4-0d0da7082a55, logid=“99999999”, group=N/A}, id=42f7fa71-f144-11eb-b476-009999997bf6}

12

What I posted above (test_user_field) works, maybe give that a try. If not comeback here and show us what went wrong, like any errors on GUI or in the log files.

13

gSmith I did try your (test_user_field) before as well. No errors in the gui and I do receive the log file notification in my email just no user name.

Where do I find the log files for this when the event runs and sends the notification?

14

If your looking for the default file locations for you Graylog server log.

https://docs.graylog.org/en/4.1/pages/configuration/file_location.html

What I personally would do is create a stream with the USER field and test your logs against that stream.
Seems like your missing something. Try executing a global search for the field user and maybe work around that log file like creating a Stream → Event Definition → Notification.
Other then that Im not sure.

EDIT: Can I ask you what type of INPUT your using? Is this a firewall log? Could we see the message from your global search?

Maybe check here if that “user” field exsist.

image
image476×745 34 KB

You might have to create the user field. I had to for my firewall. First I create a GROK patteren called firewall_user

(?>(?<!\\)(?>"(?>\\.|[^\\"]+)+"|""|(?>'(?>\\.|[^\\']+)+')|''|(?>`(?>\\.|[^\\`]+)+`)|``))

Then created a extrator using that GROK patteren.

image
image1251×655 35 KB

Message recieved with the field created.

image
image727×132 3.97 KB

1 Like
15

Hi gsmith,
I will test what you have suggested. I am using a Raw/Plaintext UDP input for this firewall log.

Screenshot 2021-08-02 at 12.43.21
Screenshot 2021-08-02 at 12.43.211537×375 176 KB

As you can see from the screenshot I have a field user.

16

Sounds good, fill us in what happens.

17

When creating a stream is there a wild card for all user to be used in Value?

Screenshot 2021-08-03 at 13.10.58
Screenshot 2021-08-03 at 13.10.58604×506 103 KB

18

Hello,

If you need just the field and all values under that field, then try this.

image

When you use “Match Exactly” that would be for a specific user name.

19

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.