How to pass variables in Alert Configuration


(iCirconflexe) #1

hello,

I’m trying to pass variables in Alert Configuration. I’ve tried HTTP Callback Alarm

in the form Editing alert configuration :
Title : Test Alert
URL : http://server/graylog.php?info=${message}

I try to pass message or id message : I set with the syntax “${message}”… Is there a way to pass the variable please ?


(Philipp Ruland) #2

Heyo @iCirco,

AFAIK there is currently no way to use a variable in the URL of the HTTP notification like with the Email notification.

You’ve got two options in my opinion:

  • Search for this feature in the Graylog Github Issues and give it a bump or create a new issue if there is none yet to let the folks know that this is a wanted feature.
  • Graylog POSTs a very verbose body with JSON payload. If you can adapt your PHP script to read the needed values from that, it’ll simply work like it is right now. Just remember to set a backlog of more than 0. The complete HTTP body is explained here.

Greetings,
Philipp


(iCirconflexe) #3

hi,

Thanks for reply. I configured an HTTP Alarm callback but when I get the POST I get this kind of answer :

{
   “check_result”:{
      “result_description”:“Dummy alert to test notifications”,
      “triggered_condition”:{
         “id”:“e38eee99-77e0-4f02-8e3e-d2995fc930f7”,
         “type”:“dummy”,
         “created_at”:         “2018-09-14T12:40:42.901         Z”,
         “creator_user_id”:“admin”,
         “title”:“Test Alert”,
         “parameters”:{

         }
      },
      “triggered_at”:      “2018-09-14T12:40:42.901      Z”,
      “triggered”:true,
      “matching_messages”:[

      ]
   },
   “stream”:{
      “creator_user_id”:“admin”,
      “outputs”:[

      ],
      “description”:“test”,
      “created_at”:      “2018-09-13T12:49:33.085      Z”,
      “rules”:[
         {
            “field”:“message”,
            “stream_id”:“5b9a5cdd1e4fca4175317393”,
            “description”:"",
            “id”:“5b9a7cc41e4fca417531963d”,
            “type”:6,
            “inverted”:false,
            “value”:“9999”
         }
      ],
      “alert_conditions”:[
         {
            “creator_user_id”:“admin”,
            “created_at”:            “2018-09-13T15:09:37.091            Z”,
            “id”:“76fb1a72-0186-41ac-8480-9e441da80053”,
            “type”:“field_content_value”,
            “title”:“9999”,
            “parameters”:{
               “grace”:0,
               “backlog”:0,
               “repeat_notifications”:true,
               “field”:“trgalerting”,
               “value”:“ALERTING”
            }
         }
      ],
      “title”:“Stream 9999”,
      “content_pack”:null,
      “is_default_stream”:false,
      “index_set_id”:“5b97e43b1e4fca65d30a393d”,
      “matching_type”:“AND”,
      “remove_matches_from_default_stream”:false,
      “disabled”:false,
      “id”:“5b9a5cdd1e4fca4175317393”
   }
}

This way is not to bad to get an alert but I don’t have the message field. I tried to get the message to send it in my ticketing application.

Is there a way to get the message by command line (curl) ?


(Philipp Ruland) #4

Heyo :slight_smile:

Your matching messages will be inside the matching_messages JSON object. It’s simply not in your example, because you used the test function that does not include any backlog :slight_smile:

Greetings,
Philipp

PS: I prettied your JSON above, you’ll see the field I mentioned easier this way :slight_smile:


(iCirconflexe) #5

hello,

I’m sorry but I’ve tried with a real message instead of dummy test message and the matching_messages is not filled.

To get the HTTP callback alarm, I use an php script very simple

<?php file_put_contents('/tmp/test.txt', file_get_contents('php://input')); ?>
{
   "check_result":{
      "result_description":"Stream received messages matching <trgalerting:\"ALERTE\"> (Current grace time: 0 minutes)",
      "triggered_condition":{
         "id":"76fb1a72-0186-41ac-8480-9e441da80053",
         "type":"field_content_value",
         "created_at":"2018-09-13T15:09:37.091Z",
         "creator_user_id":"admin",
         "title":"9999",
         "parameters":{
            "grace":0,
            "backlog":0,
            "repeat_notifications":true,
            "field":"trgalerting",
            "value":"ALERTE"
         }
      },
      "triggered_at":"2018-09-17T08:17:49.892Z",
      "triggered":true,
      "**matching_messages**":[

      ]
   },
   "stream":{
      "creator_user_id":"admin",
      "outputs":[

      ],
      "description":"test",
      "created_at":"2018-09-13T12:49:33.085Z",
      "rules":[
         {
            "field":"message",
            "stream_id":"5b9a5cdd1e4fca4175317393",
            "description":"",
            "id":"5b9a7cc41e4fca417531963d",
            "type":6,
            "inverted":false,
            "value":"9999"
         }
      ],
      "alert_conditions":[
         {
            "creator_user_id":"admin",
            "created_at":"2018-09-13T15:09:37.091Z",
            "id":"76fb1a72-0186-41ac-8480-9e441da80053",
            "type":"field_content_value",
            "title":"9999",
            "parameters":{
               "grace":0,
               "backlog":0,
               "repeat_notifications":true,
               "field":"trgalerting",
               "value":"ALERTE"
            }
         }
      ],
      "title":"Stream 9999",
      "content_pack":null,
      "is_default_stream":false,
      "index_set_id":"5b97e43b1e4fca65d30a393d",
      "matching_type":"AND",
      "remove_matches_from_default_stream":false,
      "disabled":false,
      "id":"5b9a5cdd1e4fca4175317393"
   }
}

(Philipp Ruland) #6

Hey :slight_smile:

You did not set a backlog for your alert.

"backlog":0,

Set the value of backlog in your alert condition to at least 1. This is the amount of matching messages that will be included in the notification.

Greetings,
Philipp


(iCirconflexe) #7

I tried to set backlog to 1 and it’s OK now !!!

Thanks for your help