I’m a new graylog user and I’m working with alerts! I have a lot of different use cases to trigger an alert and a notifications.
I want to create a notification for each use case (condition), some cases are logging in the same stream and I need a custom notification message for each one… So, my question:
Can I do this? Or I need to create a stream for each use case? Have a best practice to do this?
I have another question… Do you know if I can change the Stream URL in the email notification? I really want to change the query of this link… It would be awesome if I can change or concatenate this url + alert query
To work around this I have mine set up with a series of pipeline rules that when an event is found create three new fields (Alert, Subject, and Body) and then shunt to a stream that looks for the Alert field to kick off notification (I could just look for a subject field I suppose). This way the condition and notification are generic and the pipeline is taking care of the details. Here is an example that utilizes Windows Beats:
rule "AP3-WinSec-UserPWChange"
when
// assumes you have checked for
// windows-security-information
to_string($message.winlogbeat_event_id) == "4723"
then
// Build Alert structures
// Create subject of (e-mail) alert
let subject_0 = concat("-GLA| USER CHANGED PW: ", to_string($message.winlogbeat_event_data_TargetUserName));
set_field("cmg_subject", subject_0);
//
// create detail of (e-mail) alert
let build_mess_0 = concat("USER Changed their password: ", to_string($message.winlogbeat_event_data_TargetUserName));
let build_mess_1 = concat(build_mess_0, " on machine ");
let build_mess_2 = concat(build_mess_1, to_string($message.winlogbeat_event_SubjectDomainName));
let build_mess_3 = concat(build_mess_2, "-");
let build_mess_fin = concat(build_mess_3, to_string($message.winlogbeat_computer_name));
set_field("cmg_body", build_mess_fin);
// route_to_stream("P1-Alert");
// route_to_stream("P2-Alert");
route_to_stream("P3-Reporting");
end