Notifications from windows

testsia · August 27, 2020, 9:29am

notifications from windows
Hey. I want to receive notifications from my windows log file.
I have a template:
{event.message}</b>{if event.timerange_start}
Timerange: {event.timerange_start} to {event.timerange_end}{end}{if streams}
Streams:{foreach streams stream} <a href='{stream.url}’>{stream.title}</a>{end}{end} {if backlog}{foreach backlog message} ######## Source device: {message.source} Timestamp: {event.timestamp} test1: {message.full_message} User: ${message.TargetUserName}

########### ${message.message} ${message.gl2_remote_ip} ${end}</code>${else}<i>- no backlog -</i> ${end} ${if backlog} ${end} I cannot get the string User: {message.TargetUserName} I can get a complete log. But get message.TargetUserName separately I can not.

Karlis · August 27, 2020, 11:42am

Try ${full_message.TargetUserName}

testsia · August 27, 2020, 12:39pm

Here is the message I received:

Windows_block_account
Streams: Windows_block_account 

########
Source device: xdp-dc2
Login: 
###########

User account blocked�

My template:

${event.message}${if event.timerange_start}
Timerange: ${event.timerange_start} to ${event.timerange_end}${end}${if streams}
Streams:${foreach streams stream} ${stream.title}${end}${end}
${if backlog}${foreach backlog message} ######## Source device: ${message.source}
Login: ${full_message.TargetUserName}
########### ${message.message} ${message.gl2_remote_ip} ${end}${else}- no backlog -
${end}
${if backlog}
${end}

Karlis · August 27, 2020, 1:43pm

Tried this without results too.
I am using backlog, for Windows it contains all needed fields, including username. Just check message backlog and set it to 1 in event definition and add this to email template

${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message}
${end}

testsia · August 27, 2020, 1:51pm

Thank you for helping me.
I also use the backlog for my email.
But I also have notifications set up for my telegram.
These messages are too large for a telegram.
It is not comfortable.

Perhaps you know how to select fields that interest me from the backlog …

Karlis · August 27, 2020, 2:04pm

No, sorry. Some time ago tried without success, now using full backlog.

testsia · August 27, 2020, 2:26pm

I managed to do it.
Maybe someone will come in handy:

<b>${event.message}</b>${if event.timerange_start}
Timerange: ${event.timerange_start} to ${event.timerange_end}${end}${if streams}
Streams:${foreach streams stream} <a href='${stream.url}'>${stream.title}</a>${end}${end}
${if backlog}<code>${foreach backlog message}
${message.message}
${message.gl2_remote_ip}
User: ${message.fields.TargetUserName}
Time: ${message.fields.EventReceivedTime}
Source: ${message.fields.TargetDomainName}
Source device: ${message.source} 

${end}</code>${else}<i>- no backlog -</i>
${end}
${if backlog}
${end}

I receive a message:

Windows_block_account
Streams: Windows_block_account

Заблокирована учетная запись поль�

Source device: xdp-dc1
User: test1
Time: 2020-08-27 17:21:24
Source: XDP-TS1

system · September 10, 2020, 2:26pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Email notification winlogbeat Graylog Central (peer support) sidecar , winlogbeat	1	690	January 1, 2018
Notification Alert body text Graylog Central (peer support)	4	2530	December 27, 2019
Notification multiple questions Graylog Central (peer support) sidecar , winlogbeat	1	495	April 11, 2018
How to make my email alerts more descriptive? Graylog Central (peer support)	5	4686	May 21, 2020
I can't see any properly graylog alert messages Graylog Add-ons sidecar , winlogbeat	7	1337	April 9, 2020

Notifications from windows

Related Topics