I can't see any properly graylog alert messages

Graylog Add-ons
,
1

Hello,
I am using to Graylog version 3.2.4 and i can’t see properly graylog alert messages.
I created a stream for an example 4724 event ID, and I use the email alarm table for this, but I need some data for example “Who did it:” or “Which user”.

— [Event Definition] ---------------------------
Title: {event_definition_title} Description: {event_definition_description}
Type: {event_definition_type} — [Event] -------------------------------------- Timestamp: {event.timestamp}
Message: {event.message} Source: {event.source}
Key: {event.key} Priority: {event.priority}
Alert: {event.alert} Timestamp Processing: {event.timestamp}
Timerange Start: {event.timerange_start} Timerange End: {event.timerange_end}
User: {winlogbeat_event_data_TargetUserName} Fields: {foreach event.fields field} {field.key}: {field.value}
{end} {if backlog}
— [Backlog] ------------------------------------
Last messages accounting for this alert:
{foreach backlog message} {message}
{end} {end}

log
log1758×908 52.6 KB
stream
stream1907×664 59.3 KB
teams
teams1014×383 26.9 KB
slack
slack1055×519 45.6 KB
mail
mail1072×863 16.4 KB

2

You haven’t included any messages in the backlog for your alert.

Message fields (such as winlogbeat_event_data_TargetUserName) are only available by iterating over the backlog.

See the following documentation:
https://docs.graylog.org/en/3.2/pages/alerts.html#email-alert-notification

In order to access the field values, you will need to write your notification template to include lines like the below:
${message.fields.winlogbeat_event_data_TargetUserName}

Remember, the above will only work while iterating over the backlog and you must include at least one message in the backlog otherwise there will be no data.

4

nothing has changed.

— [Event Definition] ---------------------------
Title: {event_definition_title} Description: {event_definition_description}
Type: {event_definition_type} --- [Event] -------------------------------------- User: {message.fields.winlogbeat_event_data_TargetUserName}
Timestamp: {event.timestamp} Message: {event.message}
Source: {event.source} Key: {event.key}
Priority: {event.priority} Alert: {event.alert}
Timestamp Processing: {event.timestamp} Timerange Start: {event.timerange_start}
Timerange End: {event.timerange_end} Fields: {foreach event.fields field} {field.key}: {field.value}
{end} {if backlog}
— [Backlog] ------------------------------------
Last messages accounting for this alert:
{foreach backlog message} {message}
{end} {end}

5

You need to provide more information.

All I can say from what you have posted is that you have ignored the documentation where it specifically states that message fields are only available while iterating over the backlog.

The line User: {message.fields.winlogbeat_event_data_TargetUserName} will never work in that configuration.

6

I’ve been using version 2.3 before and I share the mail template. Now i using the v3.4 but i cant see any log email message.
thank you for your help

Event_Definitions_1
Event_Definitions_11911×682 70.1 KB
Event_Definitions_2
Event_Definitions_21915×804 80.2 KB
Event_Definitions_3
Event_Definitions_31914×353 16.7 KB
Event_Definitions_4
Event_Definitions_41875×533 73.6 KB
Event_Definitions_5
Event_Definitions_51896×870 85.3 KB
Notifications
Notifications1895×879 114 KB
old_message_template
old_message_template1512×772 50.5 KB
stream
stream1913×774 115 KB

7

In the notification tab of your event definition, you have to add a message backlog to the event.

8

Ok its solved.
Thank you.

9

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.