Problem with create alerts

I create alerts with this topic
But I dont understand why some information dont send. Like this variable ${message.fields.name} and another similar.

This is my Conditions

I used this template

    Date: ${check_result.triggeredAt}
    Stream ID: ${stream.id}
    Stream title: ${stream.title}
    ${if stream_url}Stream URL: ${stream_url}${end}

    ${if backlog}Last messages accounting for this alert:
    ${foreach backlog message}
    Message: ${message.message}
    Source: ${message.source}
    Full Message: ${message.fields.full_message}
    ${end}${else}<No backlog>
    ${end}

And have this in my mail

    ##########
    Alert Description: Dummy alert to test notifications
    Date: 2017-09-11T18:48:33.664Z
    Stream ID: 59b695542ab79c0001554b85
    Stream title: New Stream
    Stream description: Test notifications
    Alert Condition Title: Test Alert
    Stream URL: https://mysite

    Triggered condition: d91e0fa5-867c-4cf1-bf0e-2b5d2fdd19f9:dummy={Dummy alert to test notifications}, stream:={59b695542ab79c0001554b85: "New Stream"}
    ##########

Message:
Full Message:
1 Like

Have you configured the alert to actually include some message backlog?

http://docs.graylog.org/en/2.3/pages/getting_started/stream_alerts.html#create-the-alert

@jochen I set up according to this link.

What information do you need?

Help me in this problem, please!

@jan I tried everything, but dont take positive effect.
I iterate with foreach and dont have any information in my mail.
Created new streams, index set, condition and notifications.

What version of Graylog are you using?

Are you sure that your template is being used? Even if the message variable was empty, it should at least show the "Source: " line (just like "Message: " and "Full Message: ").

I use such versions of applications in docker-compose:

  1. Graylog 2.3.1+9f2c6ef on baec6bf2ca74 (Oracle Corporation 1.8.0_141 on Linux 4.4.0-1022-aws)
  2. Elasticsearch 5.5.1
  3. MongoDB 3
  4. Nginx:latest

I dont know, how templates used.
Maybe I used the wrong letter for an example.

@jochen Need more information?

@jochen Please answer on my question.
Full infirmation about problem you can find in GitHub Issues

Full info about problem

Expected Behavior

When a request comes, the mail should receive a notification with short information provided by the user.

Format message:

You have a new request
Date: 2017-09-14T18:54:23.671Z
Firstname: Jack
Lastname: Black
Phone: +12345678900
Site page: https://site.com/example/page
IP-adress: 000.00.00.00

I propose to create a separate tab with variables for their customization and call it “Varibles” with the items “Global” and “Local”. “Global” for Inputs, and “Local” for the cluster Graylog.

Current Behavior

I have this alerts

Alert Description: Stream received messages matching <user:"Black"> (Current grace time: 0 minutes)
Date: 2017-09-14T18:13:14.226Z
Stream ID: 59b92df92ab79c0001201034
Stream title: New Stream
Stream description: Maybe
Alert Condition Title: Condition_test
Stream URL: Please configure 'transport_email_web_interface_url' in your Graylog configuration file.
    
Triggered condition: a33229ec-cc9a-4577-84dd-0a58cc310de4:field_content_value={field: user, value: Black, grace: 0, repeat notifications: false}, stream:={59b92df92ab79c0001201034: "New Stream"}
    ##########
    
Last messages accounting for this alert:

Or this

##########
Alert Description: Dummy alert to test notifications
Date: 2017-09-14T18:18:34.009Z
Stream ID: 59b92df92ab79c0001201034
Stream title: New Stream
Stream description: Maybe
Alert Condition Title: Test Alert
Stream URL: Please configure 'transport_email_web_interface_url' in your Graylog configuration file.
    
Triggered condition: 5b28ae34-ef36-4600-860d-64b576301d65:dummy={Dummy alert to test notifications}, stream:={59b92df92ab79c0001201034: "New Stream"}
    ##########
    
 <No backlog>

I want take information an example that is written in “Expected Behavior”

You have a new request
Date: 2017-09-14T18:54:23.671Z
Firstname: Jack
Lastname: Black
Phone: +12345678900
Site page: https://site.com/example/page
IP-adress: 000.00.00.00

Steps to Reproduce (for bugs)

  1. Edit graylog.conf
    password_secret = secretpass
    root_password_sha2 = secretpasssha2
    root_email = mail@mail.com
    root_timezone = Europe/Kiev
    rest_listen_uri = https://0.0.0.0:9000/api/
    web_listen_uri = https://0.0.0.0:9000/
    elasticsearch_hosts = http://elasticsearch:9200
    elasticsearch_compression_enabled = true
    transport_email_enabled = true
    transport_email_hostname = smtp.gmail.com
    transport_email_port = 465
    transport_email_use_auth = true
    transport_email_use_tls = true
    transport_email_use_ssl = true
    transport_email_auth_username = mail@mail.com
    transport_email_auth_password = password
    transport_email_subject_prefix = [graylog]
    transport_email_from_email = graylog@example.com
    transport_email_web_interface_url = https://site.com

    Other settings is default.

  2. Create nginx.conf
    user nginx;
    worker_processes 1;

    error_log /var/log/nginx/error.log warn;
    pid /var/run/nginx.pid;

    events {
    worker_connections 1024;
    }

    http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    proxy_hide_header X-Powered-By;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection “1; mode=block”;

     #Strict Transport Security
     add_header Strict-Transport-Security "max-age=63072000; preload" always;
    
    
     server_tokens off;
    
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
    
     access_log  off;
    
     sendfile        on;
     #tcp_nopush     on;
    
     keepalive_timeout  65;
    
     gzip on;
     gzip_disable "msie6";
     gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
    
     server {
         listen       80;
         listen       [::]:80;
         server_name  site.com;
         return 301 https://site.com$request_uri;
     }
    
     server {
         listen       443 ssl http2;
         listen       [::]:443 ssl http2;
         server_name  site.com;
         resolver 8.8.4.4 8.8.8.8 valid=300s;
         resolver_timeout 10s;
    
         ssl_stapling on;
         ssl_stapling_verify on;
         ssl_certificate /etc/ssl/private/fullchain.pem;
         ssl_certificate_key /etc/ssl/private/privkey.pem;
         ssl_trusted_certificate     /etc/ssl/private/chain.pem;
         ssl_dhparam /etc/pki/nginx/dhparam.pem;
    
         # Set up preferred protocols and ciphers. TLS1.2 is required for HTTP/2
         ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
         ssl_prefer_server_ciphers on;
         ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!aNULL:!ADH:!AECDH:!MD5;
    
         # This is a cache for SSL connections
         ssl_session_cache shared:SSL:10m;
         ssl_session_timeout 60m;
    
         access_log  off;
    
         if ( $http_user_agent ~* (nmap|nikto|wikto|sf|sqlmap|bsqlbf|w3af|acunetix|havij|appscan) ) {
             return 444;
         }
    
         location / {
             proxy_set_header Host $http_host;
             proxy_set_header X-Forwarded-Host $host;
             proxy_set_header X-Forwarded-Server $host;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Graylog-Server-URL https://$server_name/api;
             proxy_pass       http://graylog:9000;
          }
    
         location /log {
             proxy_set_header Host $http_host;
             proxy_set_header X-Forwarded-Host $host;
             proxy_set_header X-Forwarded-Server $host;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Graylog-Server-URL https://$server_name/gelf;
             proxy_pass       http://graylog:12201/gelf;
          }
     }
    

    }

  3. Create certificate in letsencrypt1

  4. docker-compose up -d

docker-compose.yml

version: '2'
services:
  proxy:
    image: nginx
    container_name: proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./proxy/nginx.conf:/etc/nginx/nginx.conf
      - /etc/letsencrypt/live/site.com/privkey.pem:/etc/ssl/private/privkey.pem
      - /etc/letsencrypt/live/site.com/fullchain.pem:/etc/ssl/private/fullchain.pem
      - /etc/letsencrypt/live/site.com/chain.pem:/etc/ssl/private/chain.pem
      - ./proxy/ssl/dhparam.pem:/etc/pki/nginx/dhparam.pem
    depends_on:
      - graylog
    mem_limit: 1g
    networks:
      - graylog

  mongodb:
    image: mongo:3
    container_name: mongo
    volumes:
      - /db:/data/db
    mem_limit: 2g
    restart: always
    networks:
      - graylog

  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:5.5.1
    container_name: elasticsearch
    volumes:
      - es_data:/usr/share/elasticsearch/data
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      # Disable X-Pack security: https://www.elastic.co/guide/en/elasticsearch/reference/5.5/security-settings.html#general-security-settings
      - xpack.security.enabled=false
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    mem_limit: 1g
    restart: always
    networks:
      - graylog

   graylog:
    image: graylog/graylog:latest
    container_name: graylog
    volumes:
      - ./graylog/config:/usr/share/graylog/data/config
      - graylog_journal:/usr/share/graylog/data/journal
    environment:
      - GRAYLOG_PASSWORD_SECRET=secretpass
      - GRAYLOG_ROOT_PASSWORD_SHA2=sha2secretpass
      - GRAYLOG_WEB_ENDPOINT_URI=https://site.com/api
    links:
      - mongodb:mongo
      - elasticsearch
    depends_on:
      - mongodb
      - elasticsearch
    mem_limit: 2g
    restart: always
    networks:
      - graylog

volumes:
  es_data:
    driver: local
  graylog_journal:
    driver: local

networks:
  graylog:
    driver: bridge
  1. Create Stream and add Stream Rules with this option
    Field source must contain https://

  2. Create Global Inputs GELF HTTP with default settings, on port 12201

  3. Create Conditions
    Configuration: Alert is triggered when messages matching <source: "https://"> are received. Grace period: 0 minutes. Including last message in alert notification. Configured to repeat notifications.

  4. Create Notifications

    ##########
    Alert Description: {check_result.resultDescription} Date: {check_result.triggeredAt}
    Stream ID: {stream.id} Stream title: {stream.title}
    Stream description: {stream.description} Alert Condition Title: {alertCondition.title}
    {if stream_url}Stream URL: {stream_url}${end}

    Triggered condition: ${check_result.triggeredCondition}
    ##########

    {if backlog}Last messages accounting for this alert: {foreach backlog message.fields}${message.fields.status}

    {end}{else}
    ${end}

  5. Send information in JSON from site to Graylog.
    {
    “version”: “1.1”,
    “full_message”: {“data”: “message data”},
    “host”: “https://example.com”,
    “short_message”: “uid”,
    "_email": "j.doe@eample.com",
    "_step": “step_1”,
    "_status": “success”,
    "_agent": “empty”
    }

Context

I want to get the function that is in the greylogue out of the box.

I spent a lot of time looking for a solution to this problem, but I did not find it.

Your Environment

Graylog Version: v2.3.1+9f2c6ef
Elasticsearch Version: v. 5.5.1
MongoDB Version: v. 3.4.8
Browser version: Google Chrome 61.0.3163.91
Operating System: Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-1022-aws x86_64)
Cluster in Docker container:
Docker-compose Version: 1.13.0, build 1719ceb
Docker Version: 17.05.0-ce, build 89658be
Nginx Version: latest

That’s not how the templating works. The backlog variable contains a collection of message objects which you have to iterate over.

Please take a look at the documentation as mentioned before:

Example:

{if backlog}
Last messages accounting for this alert:
{foreach backlog message}
Status: ${message.fields.status}
{end}
{else}
Empty backlog
${end}
1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.