Mikrotik Log and email notification alert

graygokan · January 2, 2022, 3:14pm

Hello

I am using Graylog 4.1.x. I log brute force attacks from Mikrotik router. I am sending all of these logs to Graylog. So far everything is ok. However, when I create an alarm, I cannot see the ip address in the message or the entire message in the incoming e-mails.

Example_log:
rt0 login failure for user admin from 10.0.0.100 via ssh

Below is my email and html template.

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
EventID:              ${event.id}
EventMessage:         ${event.message}
Timestamp:            ${event.timestamp}
Message:              ${message.message}
OB1:                  ${message.fields.full_message}
Source:               ${event.source}
User:                 ${source.user}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${foreach backlog message}${message.fields.src_ip}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
User:  ${source.user}
${message.fields.EventID}
${message.fields.TargetUserName}
${message.fields.SubjectUserName}
${if backlog}${foreach backlog message}
${message.fields.EventID}
${message.fields.TargetUserName}
${message.fields.SubjectUserName}

---  Raw Message  ---
${message.message}
${end}${else}${end}
${message}
${end}
${end}
${end}
${end}

Arie · January 3, 2022, 8:31am

Hi,

When you create an Event definition, in the section field you can ad a custom field.
If your field is called ip adres then the template could be “${source.hostname}”

The field is then displayed in your email.

SC6

gsmith · January 4, 2022, 12:19am

Hello && Welcome

I had to adjust your posts so it was easier to read. Please use the markup when posting logs files, configurations, etc…

Next,

As @Arie suggested you have to have the field for your IP address. If so, then maybe something like this

Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
Source device: ${message.source} 
Severity:      ${message.fields.Severity}
IP Address:    ${message.fields.some_field}
${end}
${end}

You need is add that field to your notification template.

IP Address:         ${message.fields.some_field}

Hope that helps

EDIT: I did a mockup of your Notification template in my lab. Below is what worked for me. You may have to adjust this to your needs but it seams that your Template had multiply fields for “Messages”.

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
User:            ${message.fields.linux_user}
Message:         ${message.message}
OB1:             ${message.fields.full_message}
Source device:   ${message.source} 
Severity:        ${message.fields.Severity}
IP Address:      ${message.fields.src_ip}
EventID:         ${message.fields.EventID}
TargetUserName:  ${message.fields.TargetUserName}
SubjectUserName: ${message.fields.SubjectUserName}
${end}
${end}

Then it seams you want to Group the “User” so I added this in my Event Definition

Next, what I noticed was your example of your log.

That log looks like its from a Linux server, But your notification template looks like it made for Windows Event Viewer Logs. Is this correct?
You probably going to need an extractor /w a field for your IP Address. I mocked one up for ya
Using a regex extractor from my Linux server.

\b(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\b

If you don’t want to use Regex for an extractor then you can use default Grok Pattern.

Configuration
    grok_pattern: %{IP}

system · January 18, 2022, 12:20am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Alert email format Graylog Central (peer support)	12	2509	September 18, 2020
email Notification message problems Graylog Central (peer support)	1	11	July 29, 2024
Email Variabls to display HOSTNAME, IP, PROCESS, etc Graylog Central (peer support)	9	2101	July 2, 2019
Pull IP address Graylog Central (peer support)	3	876	September 24, 2021
Email Alert Notifications - Triggered Message does not appear Graylog Central (peer support)	1	885	October 10, 2019

Mikrotik Log and email notification alert

Related topics