How to send email alerts using Gmail

(Joshua AX) #1

Sending email alerts

Because I know it’s not obvious from the interface and the documentation is vague, I’m writing this tutorial to document the process for configuring the email settings for Graylog and for configuring alerts to be sent via email. I’m using CentOS7 as a base, so instructions will differ if you’re using the OVA or another distribution. Configuration is also for Gmail as that is our email provider, so adapt to your own service where necessary.

Configure graylog server

Firstly, you must configure your server to allow email to be sent from Graylog. Open /etc/graylog/server/server.conf in a text editor, find and uncomment the following lines and configure them appropriately:

Email transport

transport_email_enabled = true #This is important!
transport_email_hostname = #Take note of this address!
transport_email_port = 465 #Yours may vary
transport_email_use_auth = true
transport_email_use_tls = true
transport_email_use_ssl = true
transport_email_auth_username = specialaccount@yourdomain.tld #This is an account you’ve created for the purpose of sending automated emails
transport_email_auth_password = Y0urPassw0rd!
transport_email_subject_prefix = [graylog]
transport_email_from_email =

Once you finish the above, close the text file and run:
$ sudo systemctl graylog-server restart

Configure the firewall

You must allow smtp traffic and open the port you specified in server.conf, above

$ sudo firewall-cmd --add-port=smtp
$ sudo firewall-cmd --permanent --add-port=smtp
$ sudo firewall-cmd --reload

Configure stream

This is optional, but you may want to separate the content used for these alerts into a unique stream. I did this for my Windows servers because I wanted the alerts to be based on information found only in the nxlog information forwarded from those.

  1. Click ‘Streams’ on the top menu.
  2. Click ‘Create Stream’
  3. In the popover dialog box that appears, give the new Stream a name (mine is ‘Windows server’ which we will see used below) and description, and select the index set from which you will be creating your Stream, and click ‘Save’.
    Note: we have not created the rules yet to select messages to put in the new Stream yet, as that is not available from this screen.
  4. Click ‘Manage Rules’ on the right side of your new Stream which is now listed on the page.
  5. You may find it helpful to load a message from the input to determine the possible fields and values from which to generate the rules for your stream. For instance, Windows log messages have an ‘EventType’ field which may contain the value ‘AUDIT_FAILURE’
  6. Click ‘Add stream rule’ and in the dialog popover that appears, type the name of the field you want Graylog to check in order to add messages to the stream. Select whether you want to match the value exactly, match a regular expression, match all values greater or less than, all values for which the field is present, all values which contain the value in question, or always match. Type the Value you expect to find for those messages in the stream, unless you chose ‘field presence’ or ‘always match’. Optionally, add a description for this rule. Click the checkbox labelled ‘Inverted’ if you want all messages that do NOT match the conditions. Click ‘Save’ to return to the ‘stream rules’ page, and repeat this instruction to add more rules if desired.
  7. Click the radio button to select ‘A message must match all of the following rules’ or ‘A message must match at least one of the following rules’ and click ‘I’m done!’ when all rules are added.

Configuring alerts

There are many types of Conditions to configure Graylog to use to initiate alerts. The simplest is a field content condition, which we will use below.

  1. Click ‘Alerts’ in the top menu
  2. Click ‘Manage conditions’
  3. Click ‘Add new condition’
  4. Select your stream from the ‘Alert on stream’ dropdown menu. Mine is ‘Windows server’ as named above.
  5. Select ‘Field Content Alert Condition’ in the ‘Condition type’ dropdown menu. Click ‘Add alert condition’
  6. In the popover dialog box that appears, give your Condition a Title, the Field that should be selected, and the Value for which you want to receive alerts. You may want to set a value for ‘Grace Period’ in order to keep from receiving multiple alerts for a condition occurring multiple times in quick succession, and for ‘Message Backlog’ in order to see messages which may have occurred before the condition for the alert was met included in the alert for that condition. Click the checkbox for ‘Repeat notifications’ to receive notifications for the same condition being met again each time –
    given the delay indicated in the ‘Grace Period’ field. Click 'Save.'1. Click ‘Add alert condition.’
  7. Click ‘Manage notifications’
  8. Click ‘Add new notification’
  9. Select your stream from the ‘Notify on stream’ dropdown menu. Mine is ‘Windows server’ again, as named above.
  10. Select ‘Email Alert Callback’ from the ‘Notification type’ dropdown menu. Click ‘Add alert notification.’
  11. In the dialog popover that appears, give your Email Alert a Title (only used to identify this notification in the Graylog web interface), Subject including variables to inject information from the stream and condition, Sender email address (I chose Default values for Subject and Body contain template placeholders for information about the condition and alert, which should be sufficient in most cases. You may choose to have this notification show in the Graylog interface for specific users when logged in, and of course you will want to specify an Email Receiver with the intended recipients’ actual email addresses. Click ‘Save.’

Testing your configuration

In order to be sure you will receive notifications when there is a condition met, you can click ‘Test’ on the page for a specific Alert notification.

Setting up Email Transport Config
Setting up email for alerts
(Jochen) #2

Feel free to improve the documentation via a pull request:

Why would you require to allow access to 465/tcp and 25/tcp on the machine running Graylog?

(Joshua AX) #3

I’m sorry that that sounded snarky. I did open the documentation in GitHub, but had to demonstrate the configuration I made at work today. I will amend and use my write-up to improve the documentation.

(system) closed #4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.