Notification Alert body text

kcarter · December 13, 2019, 2:07pm

I’m new to Graylog and am evaluating it for possible purchase. I’ve set up 4 notifications all for Windows user account changes. The problem is that the alert email does not show me who created/altered the account or what account was created/altered. I’ve searched google and the documentation for the answers and can not find anything. Also the source always shows as Graylog instead of the actual source of the Windows event.

Body template
— [Event Definition] ---------------------------
Title: {event_definition_title} Description: {event_definition_description}
Type: {event_definition_type} --- [Event] -------------------------------------- Timestamp: {event.timestamp}
Message: {event.message} Source: {event.source}
Key: {event.key} Priority: {event.priority}
Alert: {event.alert} Timestamp Processing: {event.timestamp}
Timerange Start: {event.timerange_start} Timerange End: {event.timerange_end}
Fields:
{foreach event.fields field} {field.key}: {field.value} {end}
{if backlog} --- [Backlog] ------------------------------------ Last messages accounting for this alert: {foreach backlog message}
{message} {end}
${end}

shoothub · December 13, 2019, 2:35pm

You have to setup number of backlog to 1: in Alerts - Event Definitions - tab Notifications and field Message Backlog, tick the checkbox and set 1.

Message backlog define number of messages to be included in Notifications.

Source in default template for notification use {event.source}, which is source of event, not a source device.

If you want device source included in notification message use:
${foreach backlog message}${message.source}${end}

If you want to use user field (for example: src_ip) use {$message.fields.src_ip}:
${foreach backlog message}${message.fields.src_ip}${end}

For example I use this message text after somebody connect to switch:
{foreach backlog message} Source device: {message.source} Username: {message.fields.username} IP: {message.fields.src_ip} ${end}

You can also use same technique in message subject, for example I use this:
User ${foreach backlog message}${message.fields.username}${end} connected to switch ${foreach backlog message}${message.source}${end} from IP ${foreach backlog message}${message.fields.src_ip}${end}

Hope it helps.

kcarter · December 13, 2019, 2:46pm

Thank you, I will try it out.

kcarter · December 13, 2019, 5:53pm

That will do. Thank you for your assistance.

Topic		Replies	Views
Customise my email alerts Graylog Central (peer support)	6	548	August 15, 2022
Email Alerts w/ Additional Information Graylog Central (peer support)	8	915	January 26, 2021
Alert: logID + log content Graylog Central (peer support)	2	445	January 2, 2020
I can't see any properly graylog alert messages Graylog Add-ons sidecar , winlogbeat	7	1427	April 9, 2020
HTTP Notification show message New to Graylog Community? READ-ME FIRST Guides	0	62	August 22, 2024

Notification Alert body text

Related topics