Sending email alerts
Because I know it’s not obvious from the interface and the documentation is vague, I’m writing this tutorial to document the process for configuring the email settings for Graylog and for configuring alerts to be sent via email. I’m using CentOS7 as a base, so instructions will differ if you’re using the OVA or another distribution. Configuration is also for Gmail as that is our email provider, so adapt to your own service where necessary.
Configure graylog server
Firstly, you must configure your server to allow email to be sent from Graylog. Open /etc/graylog/server/server.conf in a text editor, find and uncomment the following lines and configure them appropriately:
transport_email_enabled = true #This is important!
transport_email_hostname = smtp.gmail.com #Take note of this address!
transport_email_port = 465 #Yours may vary
transport_email_use_auth = true
transport_email_use_tls = true
transport_email_use_ssl = true
transport_email_auth_username = firstname.lastname@example.org #This is an account you’ve created for the purpose of sending automated emails
transport_email_auth_password = Y0urPassw0rd!
transport_email_subject_prefix = [graylog]
transport_email_from_email = email@example.com
Once you finish the above, close the text file and run:
$ sudo systemctl graylog-server restart
Configure the firewall
You must allow smtp traffic and open the port you specified in
$ sudo firewall-cmd --add-port=smtp $ sudo firewall-cmd --permanent --add-port=smtp $ sudo firewall-cmd --reload
This is optional, but you may want to separate the content used for these alerts into a unique stream. I did this for my Windows servers because I wanted the alerts to be based on information found only in the nxlog information forwarded from those.
- Click ‘Streams’ on the top menu.
- Click ‘Create Stream’
- In the popover dialog box that appears, give the new Stream a name (mine is ‘Windows server’ which we will see used below) and description, and select the index set from which you will be creating your Stream, and click ‘Save’.
Note: we have not created the rules yet to select messages to put in the new Stream yet, as that is not available from this screen.
- Click ‘Manage Rules’ on the right side of your new Stream which is now listed on the page.
- You may find it helpful to load a message from the input to determine the possible fields and values from which to generate the rules for your stream. For instance, Windows log messages have an ‘EventType’ field which may contain the value ‘AUDIT_FAILURE’
- Click ‘Add stream rule’ and in the dialog popover that appears, type the name of the field you want Graylog to check in order to add messages to the stream. Select whether you want to match the value exactly, match a regular expression, match all values greater or less than, all values for which the field is present, all values which contain the value in question, or always match. Type the Value you expect to find for those messages in the stream, unless you chose ‘field presence’ or ‘always match’. Optionally, add a description for this rule. Click the checkbox labelled ‘Inverted’ if you want all messages that do NOT match the conditions. Click ‘Save’ to return to the ‘stream rules’ page, and repeat this instruction to add more rules if desired.
- Click the radio button to select ‘A message must match all of the following rules’ or ‘A message must match at least one of the following rules’ and click ‘I’m done!’ when all rules are added.
There are many types of Conditions to configure Graylog to use to initiate alerts. The simplest is a field content condition, which we will use below.
- Click ‘Alerts’ in the top menu
- Click ‘Manage conditions’
- Click ‘Add new condition’
- Select your stream from the ‘Alert on stream’ dropdown menu. Mine is ‘Windows server’ as named above.
- Select ‘Field Content Alert Condition’ in the ‘Condition type’ dropdown menu. Click ‘Add alert condition’
- In the popover dialog box that appears, give your Condition a Title, the Field that should be selected, and the Value for which you want to receive alerts. You may want to set a value for ‘Grace Period’ in order to keep from receiving multiple alerts for a condition occurring multiple times in quick succession, and for ‘Message Backlog’ in order to see messages which may have occurred before the condition for the alert was met included in the alert for that condition. Click the checkbox for ‘Repeat notifications’ to receive notifications for the same condition being met again each time –
given the delay indicated in the ‘Grace Period’ field. Click 'Save.'1. Click ‘Add alert condition.’
- Click ‘Manage notifications’
- Click ‘Add new notification’
- Select your stream from the ‘Notify on stream’ dropdown menu. Mine is ‘Windows server’ again, as named above.
- Select ‘Email Alert Callback’ from the ‘Notification type’ dropdown menu. Click ‘Add alert notification.’
- In the dialog popover that appears, give your Email Alert a Title (only used to identify this notification in the Graylog web interface), Subject including variables to inject information from the stream and condition, Sender email address (I chose firstname.lastname@example.org). Default values for Subject and Body contain template placeholders for information about the condition and alert, which should be sufficient in most cases. You may choose to have this notification show in the Graylog interface for specific users when logged in, and of course you will want to specify an Email Receiver with the intended recipients’ actual email addresses. Click ‘Save.’
Testing your configuration
In order to be sure you will receive notifications when there is a condition met, you can click ‘Test’ on the page for a specific Alert notification.