I am using graylog 2.5.1 and having an issue with the alerts notifications. (I can’t upgrade at the momment)
${if backlog}Last messages accounting for this alert:
${foreach backlog message}${message}
${end}${else}<No backlog>
${end}
The $message is a long json field comming from traefik and it is printed inside the notification as a very very long and ugly string.
Since graylog is showing the json fields separated by a pipe (|) I am wondering if there is any way to replace the pipe with a newline in order to make it easy to read.
As far as I could read the templating engine is based on jmte but I can’t find any string manipulation functions.
If the notification template is grabbing data from the “message” field it will look like that.
For making it neat, perhaps only use the fields you want.
Example:
Fields:
${foreach event.fields field} ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
User: ${message.fields.TargetUserName}
WorkStation Name: ${message.fields.WorkstationName}
Event Time: ${message.fields.EventReceivedTime}
Source: ${message.source}
Logon Type: ${message.LogonType}
Message Link to the Alert: https://graylog.domain.com:9000/messages/${message.index}/${message.id}
${end}
${end}
It works but I found some glitch
My template does not includes any ‘index’ mention as you can see below, but I got some errors while rendering the notification email.
Do you know how to avoid this without skipping the notification of the email producing this error?
graylog error
The Graylog server encountered an error while trying to send an email. This is the detailed error message: com.floreysoft.jmte.message.ParseException: Error while parsing ‘message.index’ at location (17:59): Property ‘index’ on object ‘source: REDACTED| message: REQUEST:HttpRequest(HttpMethod(GET),http://REDACTED,List(Timeout-Access: , Remote-Address: REDACTED:46658, Accept: application/json, text/pla (…) { input_stream: gelf_tcp | k8s_labels_app-api-ver: REDACTED | gl2_remote_ip: REDACTED | gl2_remote_port: 16566 | k8s_labels_stack_name: prod | gl2_source_input: 59dc89fee8c3e819f0b926bd | k8s_labels_app-base-web-ver: master | k8s_labels_apprelease-time: 20220711180459 | k8s_container_name: REDACTED | k8s_labels_tag: apiv2 | k8s_labels_stack_config: prod | gl2_source_node: cae84269-e5c2-429d-a8b0-7b099bb3d9b8 | logger_name: REDACTED$ | k8s_namespace_name: ci | timestamp: 2022-07-12T08:39:00.570Z | level: 3 | streams: [000000000000000000000001, 5e29b59eac34370044fd31a2, 6287931889bc44003cd04381] | k8s_labels_app-base-api-ver: master | k8s_pod_name: REDACTED | k8s_labels_appname: REDACTED | k8s_labels_appinstance:REDACTED | k8s_labels_app-web-ver: v4.13.6 | level_name: ERROR | full_message: REQUEST: HttpRequest(HttpMethod(GET),http://REDACTED,List(Timeout-Access: , Remote-Address: REDACTED:46658, Accept: application/json, text/plain, /, Connection: keep-alive, Host: REDACTED:9001, User-Agent: Mozilla/5.0 (Linux x64) REDACTED),HttpEntity.Strict(none/none,ByteString()),HttpProtocol(HTTP/1.1)) REQUEST-ENTITY: RESPONSE: Complete(HttpResponse(500 Internal Server Error,List(),HttpEntity.Strict(application/json,{“error”:“generic_error”}),HttpProtocol(HTTP/1.1))) | thread_name: trovimap-gateway-akka.actor.default-dispatcher-12 | _id: 13c90ab2-01be-11ed-881c-f6e60414bcca }’ can not be accessed: “java.lang.NoSuchFieldException: index”!
I have GL version 4.3 but that message link did work in version 3.3. But if you noticed I’m using a FQDN, if your not using that I would replace it with the IP address. Just a thought
seems I will have to upgrade as soon as possible.
and looking the changes among versions probably will be easier just install and configure the latest version. :-/
In one of our environments we do have Graylog 2.4. I almost 100% certain the other Admin did use Message URL/Link. He is not working today but first thing on Monday I can ask him. Upgrading would be good for security reason but this would depend on how your environment is set up. Most of our older versions of Graylog is NOT exposed to the internet so we don’t have a problem with that. Please be mindful and look at the change logs for different Graylog versions below. There has been a few changes from 2.4 → 4.3 and perhaps some function that may work any more.
Yep, that’s why I told to install 4.3.3 from scratch instead to go through all the upgrades from 2.5.1 to 4.3.3. Too many things to take in care and too much work.
Just an FYI, had to upgrade our GL 2.4 and as you stated we installed a fresh version of GL 4.3, BUT we installed the same version of MongoDb on the new version of GL 4.3. To keep all the settings we execute a mongo dump and SCP to the new server. It took a minute for Graylog to update the mongo Database ( graylog) but was able to keep 90% of our settings created. Some of the isssue were the notification and authentication settings which needed to be re-configured but most everything else was good.