How to I get extra fields in my E-Mail Notifications?

Gamienator · April 8, 2022, 9:26pm

Hey everyone,
sorry for another tpoic, but I guess on the first setup is the most new stuff and for some reason my typical try and error almost never work here I’m really sorry to bug you all the time.

My next issue are alerts. Setting it up that way, that as soon as I got a successful login via SSH on any on my servers, I’ll get an E-Mail notification. Which works okay, but I would LOVE to have an extra Field with like Client IP, Username etc.

ATM my Mail looks like this:

So as you can see, I already figured out to add an backlog, and how to “Add” a field. But for some reason none of my data is pulled into that

My last try to get the Data is:

What is the missing part in this puzzle?

Thanks in advance!

Cheers,
Gamie

gsmith · April 8, 2022, 10:47pm

Hello @Gamienator

To help you further can wee see the whole Notification template? Specially the Body Template part.

Gamienator · April 9, 2022, 6:45am

Hey there,
sure:

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message}
${end}
${end}

I expected hat if I add this fields they will be added in the template:

gsmith · April 11, 2022, 9:59pm

Hello @Gamienator

To get an extra field/s in the notification you would need to adjust your Notification template.
If I can direct you to this part of the Notification template.

Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message}
${end}

Below is a demo for extra fields and full message. Please take note of the macros that are used.

Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message}
TargetUserName:    ${message.fields.TargetUserName}
WorkstationName:   ${message.fields.WorkstationName}
EventReceivedTime: ${message.fields.EventReceivedTime}
Source:            ${message.fields.source}
Message Link:      https://Graylog.domain.com:9000/messages/${message.index}/${message.id}
${end}

Click me

### This is  the Full Template ###
--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message}
TargetUserName:    ${message.fields.TargetUserName}
WorkstationName:   ${message.fields.WorkstationName}
EventReceivedTime: ${message.fields.EventReceivedTime}
Source:            ${message.fields.source}
Message Link:      https://Graylog.domain.com:9000/messages/${message.index}/${message.id}
${end}
${end}

To sum it up;
The full message ${message} and then what follows is TargetUserName, WorkstationName, EventReceivedTime ,Source , and message link.

If the fields are in the message/logs you can grab anyone you want.
So for starters, you need to add message and fields then the field you would like

Example, should be something like this.

${message.fields.some_field}

Message link is nice to have also, the first part is you URL for Graylog Server then add /${message.index} and /${message.id} to the end. It would direct you to the message that was triggered from your email notification.

Example.

Message Link: https://Graylog.domain.com:9000/messages/${message.index}/${message.id}

Part #2

If you using HTML in the email you now need to configure your HTML Body Template which is below the Body Template. You have two choices, either remove the configuration of the HTML Body Template or configure it.

If you decide to configure it then from the example above you would need to configure this section

${if backlog}
<br /><table width="100%" border="0" cellpadding="10" cellspacing="0" style="background-color:#f9f9f9;border:none;line-height:1.2"><tbody>
<tr><th style="background-color:#e6e6e6;line-height:1.5">Backlog (Last messages accounting for this alert)</th></tr>
${foreach backlog message}
<tr><td>${message}</td></tr>
${end}
</tbody></table>
${end}

Example from the demo Notification template above. I would need to add something like this as shown below.

${if backlog}
<br /><table width="100%" border="0" cellpadding="10" cellspacing="0" style="background-color:#f9f9f9;border:none;line-height:1.2"><tbody>
<tr><th style="background-color:#e6e6e6;line-height:1.5">Backlog (Last messages accounting for this alert)</th></tr>
${foreach backlog message}
<tr><td>${message}</td></tr>

<tr><td>TargetUserName:    ${message.fields.TargetUserName} </td></tr>
<tr><td>WorkstationName:   ${message.fields.WorkstationName} </td></tr>
<tr><td>EventReceivedTime: ${message.fields.EventReceivedTime} </td></tr>
<tr><td>Source:            ${message.fields.source} </td></tr>
<tr><td>Message Link:      https://Graylog.domain.com:9000/messages/${message.index}/${message.id}</td></tr>

${end}
</tbody></table>
${end}

Hope that helps

system · April 25, 2022, 9:59pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Events fields & notifications Graylog Central (peer support)	2	2544	February 20, 2020
Email notification not pulling additional message field Graylog Central (peer support) alert	6	79	June 6, 2024
Unable to get events fields on notifications Graylog Central (peer support)	3	604	January 29, 2021
Include Fields In Email Callback Graylog Central (peer support)	4	4420	October 24, 2017
Customise my email alerts Graylog Central (peer support)	6	499	August 15, 2022

How to I get extra fields in my E-Mail Notifications?

Related topics