How to view existing Alerts and Events

After setting up alerts, I know that when an alert is triggered, it can be sent via email notification. But if I open Graylog web interface and click on “Alerts & Events,” I can see list of alerts/events that have occurred, but I don’t see any information or details for each alert/event. Is there a way to view the details of these alerts/events within Graylog, aside from the email notifications? I know I can just copy the search query of the event definition and paste it in a new search within Graylog, but this would be a tedious process. Why isn’t there an option listed in each alert/event to view results/details?

If you click the event, you get some additional information:

That is, unless you’re looking for more information than what’s provided

Yeah, I’m looking for the actual log that the email notification provides. This doesn’t give any details about each log that originally triggered the alert in the first place. The only way I’ve been able to view the log is if I manually search for it using the filter created in the event definition, or by setting up the email notification and viewing the email. It’d be nice if these alerts provided a way to click on the log that triggered the alert.

For example, I set up an event definition to create an alert when an AD account is locked out. The event definition filter shows a preview of the logs that have occurred, and these are the details I’m looking for to be able to view when viewing alerts in Graylog. Maybe there’s more to the event definition configuration that I am missing?


There are a couple ways to achieve this.
What I have done was put the URL in my Notification message.

For example:

${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}${message.index}/${}
User:             ${message.fields.TargetUserName}
WorkStation Name:  ${message.fields.WorkstationName}
Event Time:       ${message.fields.EventReceivedTime}
Source:           ${message.source}
Logon Type:       ${message.LogonType}
---[backlog end]---------------------------------

Message received and then just click on the link.

Message shown.

If thats not what you want, then I would suggest using a stream to catch these alerts.
Hope that helps

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.