Notification for each condition

min · May 6, 2019, 5:19pm

Hello guys,

I’m a new graylog user and I’m working with alerts! I have a lot of different use cases to trigger an alert and a notifications.

I want to create a notification for each use case (condition), some cases are logging in the same stream and I need a custom notification message for each one… So, my question:

Can I do this? Or I need to create a stream for each use case? Have a best practice to do this?

Thank you!

jan · May 6, 2019, 9:22pm

currently you would need to create a stream for each case if you want to have single condition to notification match.

min · May 6, 2019, 9:45pm

Hmmmmm, ok!

Thank you!!!

I have another question… Do you know if I can change the Stream URL in the email notification? I really want to change the query of this link… It would be awesome if I can change or concatenate this url + alert query

tmacgbay · May 7, 2019, 1:09pm

To work around this I have mine set up with a series of pipeline rules that when an event is found create three new fields (Alert, Subject, and Body) and then shunt to a stream that looks for the Alert field to kick off notification (I could just look for a subject field I suppose). This way the condition and notification are generic and the pipeline is taking care of the details. Here is an example that utilizes Windows Beats:

rule "AP3-WinSec-UserPWChange"
when
    // assumes you have checked for
    // windows-security-information
    to_string($message.winlogbeat_event_id) == "4723"
then
    // Build Alert structures
    // Create subject of (e-mail) alert
    let subject_0 = concat("-GLA| USER CHANGED PW: ", to_string($message.winlogbeat_event_data_TargetUserName));
    set_field("cmg_subject", subject_0);
    //
    // create detail of (e-mail) alert
    let build_mess_0   = concat("USER Changed their password: ",  to_string($message.winlogbeat_event_data_TargetUserName));
    let build_mess_1   = concat(build_mess_0, " on machine ");
    let build_mess_2   = concat(build_mess_1, to_string($message.winlogbeat_event_SubjectDomainName));
    let build_mess_3   = concat(build_mess_2, "-");
    let build_mess_fin = concat(build_mess_3, to_string($message.winlogbeat_computer_name));
    set_field("cmg_body", build_mess_fin);
//    route_to_stream("P1-Alert");
//    route_to_stream("P2-Alert");
      route_to_stream("P3-Reporting");
end

min · May 7, 2019, 1:34pm

Hum, I think this could work for me! Good alternative!

Thanks for sharing your solution!

system · May 21, 2019, 1:34pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can create alerts specific to a condition instead of stream Graylog Central (peer support)	2	350	August 21, 2018
Notification is associated with stream not with condition Graylog Central (peer support)	2	1365	June 6, 2018
Field content alert condition more than one value? Graylog Central (peer support) pipeline-rules , sidecar , winlogbeat	6	2645	September 4, 2018
Stream and alert (condition) question Graylog Central (peer support)	8	729	May 28, 2019
Alert notifications should be bound to alert conditions instead of streams Graylog Central (peer support)	3	2322	July 20, 2018

Notification for each condition

Related Topics