1. Describe your incident:
In my development graylog instance - Using the “Timestamp” field within an MS Teams notification in Graylog causes, um, odd behaviour.
It appears that the “:” within the field causes some sort of issue with the message.
See this image:
The above alert was generated by this notification text
Timestamp: ${event.timestamp}
Message: ${event.message}
Trigger: ${event.key}
Timestamp Processing: ${event.timestamp}
Event Fields:
${foreach event.fields field}
${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages for this alert:
${foreach backlog message}
Time: ${message.timestamp} - user_name: ${message.fields.user_name} - Device: ${message.fields.user_domain} ${message.fields.IpAddress}
${end}${end}
I can reproduce by just having the timestamp field present, or even just manually typing in a timestamp.
Slack notifications do not have this issue, and messages are displayed as expected - using the same message template.
2. Describe your environment:
Ubuntu 20.04 LTS
Graylog 4.3.2, Elasticsearch 7.10.2
3. What steps have you already taken to try and solve the problem?
I have recreated the notification within Graylog and changed the “custom message” to no avail.
I have attempted to “escape” fields within the message using different teams escape strings
I’ve also added the notification to a few different alert definitions and they all exhibit the same problem for me.
I downloaded the original 3rd party plugin for Teams notifications and tried that, to no avail.
I have access to a production Graylog instance for a customer, and this does not have the same issue; although Graylog is version 4.2.x and uses a third party plugin for MS Teams notifications.
4. How can the community help?
Does anyone else experience the issue?
Am I being stupid? I feel like I’m doing something wrong but I’m not able to pinpoint it