I’m new to Graylog and am evaluating it for possible purchase. I’ve set up 4 notifications all for Windows user account changes. The problem is that the alert email does not show me who created/altered the account or what account was created/altered. I’ve searched google and the documentation for the answers and can not find anything. Also the source always shows as Graylog instead of the actual source of the Windows event.
You have to setup number of backlog to 1: in Alerts - Event Definitions - tab Notifications and field Message Backlog, tick the checkbox and set 1.
Message backlog define number of messages to be included in Notifications.
Source in default template for notification use {event.source}, which is source of event, not a source device.
If you want device source included in notification message use: ${foreach backlog message}${message.source}${end}
If you want to use user field (for example: src_ip) use {$message.fields.src_ip}: ${foreach backlog message}${message.fields.src_ip}${end}
For example I use this message text after somebody connect to switch: {foreach backlog message} Source device: {message.source} Username: {message.fields.username} IP: {message.fields.src_ip} ${end}
You can also use same technique in message subject, for example I use this: User ${foreach backlog message}${message.fields.username}${end} connected to switch ${foreach backlog message}${message.source}${end} from IP ${foreach backlog message}${message.fields.src_ip}${end}
