Notifications // Teams // Message trunctaed after colon

Graylog Central (peer support)
1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
Sending a teams notification from Graylog with the built-in Teams notification type. The notification includes a MAC address, in the format aa:bb:cc:dd:ee:ff

The MAC address in the notification is ALWAYS truncated after the first colon. No matter what. It seems this is due to the way the plugin sends the message. Teams seems to treat the colon as a separator to create a table.

In fact, any colon sent to the notification gets treated this way. This is my notification template:

Timestamp:  ${foreach backlog message}${message.fields.timestamp}${end}
Message:        ${event.message} Alarm Triggered
Source:        ${foreach backlog message}${message.fields.source}${end}
CPE MAC:        ${foreach backlog message}<pre>${message.fields.macaddress}</pre> ${end}
Error Msg:      ${foreach backlog message} <pre>${message.fields.detailed_info}</pre>${end}

How can I send text in a teams notification that actually gets displayed?

2. Describe your environment:

  • OS Information:
    Ubuntu
  • Package Version:
    4.3.8
  • Service logs, configurations, and environment variables:

3. What steps have you already taken to try and solve the problem?
Everything I can think of, from enclosing with quotes or backtics, to enclosing in an html <pre> tag.

4. How can the community help?

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

2

This is more of a workaround rather than a solution, but perhaps you could create a pipeline rule to strip out the colons and save a new field with the MAC all jumbled together, like AABBCC112233. Then you could use that field in your alert.

3

I had thought about that.

However, the colon issue is more problematic, since I would need to do that with any field that has a colon. I am attempting to use lots of syslog data, and most all syslog messages have strings with colons, which would require me to do a lot of duplicate processing and storage of fields just to send a notification.

Curious why there aren’t some config options for the MS Teams notification plugins. There are many supported formats for teams notifications and cards, including plain text, which if available would solve the issue. May other open source software packages have this capability (librenms for example).

5

hey @nateynate

I assume this is notification template? If so Something like this?

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
TargetUserName: ${message.fields.TargetUserName}
WorkstationName: ${message.fields.WorkstationName}
EventReceivedTime: ${message.fields.EventReceivedTime}
Source: ${message.fields.source}
Message Link: https://domain.com:9000/messages/${message.index}/${message.id}
${end}
${end}

This is just plain Notification settings.

6

This was fixed in 4.3.9 so probably best to just update 4.3 Backport: Handle Teams Notification fields with colon characters by kingzacko1 · Pull Request #1205 · Graylog2/graylog-plugin-integrations · GitHub

1 Like
7

Actually for this you probably need to go to 5.0 and then update your teams template from here Rework Microsoft Teams Notification Templating by kingzacko1 · Pull Request #1202 · Graylog2/graylog-plugin-integrations · GitHub

8

As Joel mentioned, your main issue here will not be resolved in 4.3.9. There was a timestamp issue that was related that was able to be backported, but there was no good way to fix the message backlog piece and make it stop breaking up messages by colon without a breaking change to existing Teams notifications.

Once on 5.0, you should be able to reformat your existing template to look something like this:

Message: ${event.message} Alarm Triggered<br/>
${if backlog}
--- [Backlog] ------------------------------------
${foreach backlog message}
Timestamp: ${message.timestamp}<br/>
Source: ${message.source}<br/>
CPE MAC: ${message.fields.macaddress}<br/>
Error Msg: ${message.fields.detailedinfo}<br/><br/>
${end}
${end}

That should render your Teams notifications like this:

image
image738×439 10.7 KB

3 Likes
9

Awesome guys, thanks for the input.

I will look at upgrading to v5. Good resources for a pain-free upgrade? I have a pretty simple setup… no clusters, single machine with all parts running on the same vm.

N

10

Steps will depend on your OS, but they should all be covered here, it should be fairly straight forward in your configuration. Upgrading Graylog

1 Like
11

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.