Hi Graylog,
I have successfully setup and configured my Graylog server and as a result I am testing alerts.
I have created various alerts to monitor Windows Eventlogs where if a certain event is triggered then I receive an email alert; this part is working fine. However, when I receive my alert I am lacking a great deal of information about the alert meaning I not provided with the eventlog description, the event ID, etc.
An example of a notification I am receiving:
— [Event Definition] ---------------------------
Title: Eventlog - Accounts
Description: Notifies administrators when accounts are created or modified.
Type: aggregation-v1
— [Event] --------------------------------------
Timestamp: 2020-05-05T19:59:03.000Z
Message: Eventlog - Accounts
Source: XXXlog01
Key:
Priority: 3
Alert: true
Timestamp Processing: 2020-05-05T19:59:03.000Z Timerange Start:
Timerange End:
Fields:
Upon further investigation it looks like my notification message is cutting out the “[Backlog]” portion out of my email template.
The Body Template I am using with my email template (the default one):
— [Event Definition] ---------------------------
Title: {event_definition_title}
Description: {event_definition_description}
Type: {event_definition_type}
--- [Event] --------------------------------------
Timestamp: {event.timestamp}
Message: {event.message}
Source: {event.source}
Key: {event.key}
Priority: {event.priority}
Alert: {event.alert}
Timestamp Processing: {event.timestamp}
Timerange Start: {event.timerange_start}
Timerange End: {event.timerange_end}
Fields:
{foreach event.fields field} {field.key}: {field.value}
{end}
{if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
{foreach backlog message}
{message}
{end}
${end}
Any idea how I can fix my problem with my email alerts lacking description? For example, I want my email alerts to look like this:
(Source: https://vdalabs.com/2020/02/26/no-more-secrets-logging-made-easy-through-graylog-part-3/)
Thanks for the help!