Problem with create alerts


(Dodge Camaro) #1

I create alerts with this topic
But I dont understand why some information dont send. Like this variable ${message.fields.name} and another similar.

This is my Conditions

I used this template

    Date: ${check_result.triggeredAt}
    Stream ID: ${stream.id}
    Stream title: ${stream.title}
    ${if stream_url}Stream URL: ${stream_url}${end}

    ${if backlog}Last messages accounting for this alert:
    ${foreach backlog message}
    Message: ${message.message}
    Source: ${message.source}
    Full Message: ${message.fields.full_message}
    ${end}${else}<No backlog>
    ${end}

And have this in my mail

    ##########
    Alert Description: Dummy alert to test notifications
    Date: 2017-09-11T18:48:33.664Z
    Stream ID: 59b695542ab79c0001554b85
    Stream title: New Stream
    Stream description: Test notifications
    Alert Condition Title: Test Alert
    Stream URL: https://mysite

    Triggered condition: d91e0fa5-867c-4cf1-bf0e-2b5d2fdd19f9:dummy={Dummy alert to test notifications}, stream:={59b695542ab79c0001554b85: "New Stream"}
    ##########

Message:
Full Message:

(Jochen) #2

Have you configured the alert to actually include some message backlog?

http://docs.graylog.org/en/2.3/pages/getting_started/stream_alerts.html#create-the-alert


(Dodge Camaro) #3

@jochen I set up according to this link.

What information do you need?


(Dodge Camaro) #4

Help me in this problem, please!


(Dodge Camaro) #5

@jan I tried everything, but dont take positive effect.
I iterate with foreach and dont have any information in my mail.
Created new streams, index set, condition and notifications.


(Jochen) #7

What version of Graylog are you using?

Are you sure that your template is being used? Even if the message variable was empty, it should at least show the "Source: " line (just like "Message: " and "Full Message: ").


(Dodge Camaro) #8

I use such versions of applications in docker-compose:

  1. Graylog 2.3.1+9f2c6ef on baec6bf2ca74 (Oracle Corporation 1.8.0_141 on Linux 4.4.0-1022-aws)
  2. Elasticsearch 5.5.1
  3. MongoDB 3
  4. Nginx:latest

I dont know, how templates used.
Maybe I used the wrong letter for an example.


(Dodge Camaro) #9

@jochen Need more information?


(Dodge Camaro) #10

@jochen Please answer on my question.
Full infirmation about problem you can find in GitHub Issues

Full info about problem

Expected Behavior

When a request comes, the mail should receive a notification with short information provided by the user.

Format message:

You have a new request
Date: 2017-09-14T18:54:23.671Z
Firstname: Jack
Lastname: Black
Phone: +12345678900
Site page: https://site.com/example/page
IP-adress: 000.00.00.00

I propose to create a separate tab with variables for their customization and call it “Varibles” with the items “Global” and “Local”. “Global” for Inputs, and “Local” for the cluster Graylog.

Current Behavior

I have this alerts

Alert Description: Stream received messages matching <user:"Black"> (Current grace time: 0 minutes)
Date: 2017-09-14T18:13:14.226Z
Stream ID: 59b92df92ab79c0001201034
Stream title: New Stream
Stream description: Maybe
Alert Condition Title: Condition_test
Stream URL: Please configure 'transport_email_web_interface_url' in your Graylog configuration file.
    
Triggered condition: a33229ec-cc9a-4577-84dd-0a58cc310de4:field_content_value={field: user, value: Black, grace: 0, repeat notifications: false}, stream:={59b92df92ab79c0001201034: "New Stream"}
    ##########
    
Last messages accounting for this alert:

Or this

##########
Alert Description: Dummy alert to test notifications
Date: 2017-09-14T18:18:34.009Z
Stream ID: 59b92df92ab79c0001201034
Stream title: New Stream
Stream description: Maybe
Alert Condition Title: Test Alert
Stream URL: Please configure 'transport_email_web_interface_url' in your Graylog configuration file.
    
Triggered condition: 5b28ae34-ef36-4600-860d-64b576301d65:dummy={Dummy alert to test notifications}, stream:={59b92df92ab79c0001201034: "New Stream"}
    ##########
    
 <No backlog>

I want take information an example that is written in “Expected Behavior”

You have a new request
Date: 2017-09-14T18:54:23.671Z
Firstname: Jack
Lastname: Black
Phone: +12345678900
Site page: https://site.com/example/page
IP-adress: 000.00.00.00

Steps to Reproduce (for bugs)

  1. Edit graylog.conf
    password_secret = secretpass
    root_password_sha2 = secretpasssha2
    root_email = mail@mail.com
    root_timezone = Europe/Kiev
    rest_listen_uri = https://0.0.0.0:9000/api/
    web_listen_uri = https://0.0.0.0:9000/
    elasticsearch_hosts = http://elasticsearch:9200
    elasticsearch_compression_enabled = true
    transport_email_enabled = true
    transport_email_hostname = smtp.gmail.com
    transport_email_port = 465
    transport_email_use_auth = true
    transport_email_use_tls = true
    transport_email_use_ssl = true
    transport_email_auth_username = mail@mail.com
    transport_email_auth_password = password
    transport_email_subject_prefix = [graylog]
    transport_email_from_email = graylog@example.com
    transport_email_web_interface_url = https://site.com

    Other settings is default.

  2. Create nginx.conf
    user nginx;
    worker_processes 1;

    error_log /var/log/nginx/error.log warn;
    pid /var/run/nginx.pid;

    events {
    worker_connections 1024;
    }

    http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    proxy_hide_header X-Powered-By;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection “1; mode=block”;

     #Strict Transport Security
     add_header Strict-Transport-Security "max-age=63072000; preload" always;
    
    
     server_tokens off;
    
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
    
     access_log  off;
    
     sendfile        on;
     #tcp_nopush     on;
    
     keepalive_timeout  65;
    
     gzip on;
     gzip_disable "msie6";
     gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;
    
     server {
         listen       80;
         listen       [::]:80;
         server_name  site.com;
         return 301 https://site.com$request_uri;
     }
    
     server {
         listen       443 ssl http2;
         listen       [::]:443 ssl http2;
         server_name  site.com;
         resolver 8.8.4.4 8.8.8.8 valid=300s;
         resolver_timeout 10s;
    
         ssl_stapling on;
         ssl_stapling_verify on;
         ssl_certificate /etc/ssl/private/fullchain.pem;
         ssl_certificate_key /etc/ssl/private/privkey.pem;
         ssl_trusted_certificate     /etc/ssl/private/chain.pem;
         ssl_dhparam /etc/pki/nginx/dhparam.pem;
    
         # Set up preferred protocols and ciphers. TLS1.2 is required for HTTP/2
         ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
         ssl_prefer_server_ciphers on;
         ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!aNULL:!ADH:!AECDH:!MD5;
    
         # This is a cache for SSL connections
         ssl_session_cache shared:SSL:10m;
         ssl_session_timeout 60m;
    
         access_log  off;
    
         if ( $http_user_agent ~* (nmap|nikto|wikto|sf|sqlmap|bsqlbf|w3af|acunetix|havij|appscan) ) {
             return 444;
         }
    
         location / {
             proxy_set_header Host $http_host;
             proxy_set_header X-Forwarded-Host $host;
             proxy_set_header X-Forwarded-Server $host;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Graylog-Server-URL https://$server_name/api;
             proxy_pass       http://graylog:9000;
          }
    
         location /log {
             proxy_set_header Host $http_host;
             proxy_set_header X-Forwarded-Host $host;
             proxy_set_header X-Forwarded-Server $host;
             proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
             proxy_set_header X-Graylog-Server-URL https://$server_name/gelf;
             proxy_pass       http://graylog:12201/gelf;
          }
     }
    

    }

  3. Create certificate in letsencrypt1

  4. docker-compose up -d

docker-compose.yml

version: '2'
services:
  proxy:
    image: nginx
    container_name: proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - ./proxy/nginx.conf:/etc/nginx/nginx.conf
      - /etc/letsencrypt/live/site.com/privkey.pem:/etc/ssl/private/privkey.pem
      - /etc/letsencrypt/live/site.com/fullchain.pem:/etc/ssl/private/fullchain.pem
      - /etc/letsencrypt/live/site.com/chain.pem:/etc/ssl/private/chain.pem
      - ./proxy/ssl/dhparam.pem:/etc/pki/nginx/dhparam.pem
    depends_on:
      - graylog
    mem_limit: 1g
    networks:
      - graylog

  mongodb:
    image: mongo:3
    container_name: mongo
    volumes:
      - /db:/data/db
    mem_limit: 2g
    restart: always
    networks:
      - graylog

  elasticsearch:
    image: docker.elastic.co/elasticsearch/elasticsearch:5.5.1
    container_name: elasticsearch
    volumes:
      - es_data:/usr/share/elasticsearch/data
    environment:
      - http.host=0.0.0.0
      - transport.host=localhost
      - network.host=0.0.0.0
      # Disable X-Pack security: https://www.elastic.co/guide/en/elasticsearch/reference/5.5/security-settings.html#general-security-settings
      - xpack.security.enabled=false
      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
    ulimits:
      memlock:
        soft: -1
        hard: -1
    mem_limit: 1g
    restart: always
    networks:
      - graylog

   graylog:
    image: graylog/graylog:latest
    container_name: graylog
    volumes:
      - ./graylog/config:/usr/share/graylog/data/config
      - graylog_journal:/usr/share/graylog/data/journal
    environment:
      - GRAYLOG_PASSWORD_SECRET=secretpass
      - GRAYLOG_ROOT_PASSWORD_SHA2=sha2secretpass
      - GRAYLOG_WEB_ENDPOINT_URI=https://site.com/api
    links:
      - mongodb:mongo
      - elasticsearch
    depends_on:
      - mongodb
      - elasticsearch
    mem_limit: 2g
    restart: always
    networks:
      - graylog

volumes:
  es_data:
    driver: local
  graylog_journal:
    driver: local

networks:
  graylog:
    driver: bridge
  1. Create Stream and add Stream Rules with this option
    Field source must contain https://

  2. Create Global Inputs GELF HTTP with default settings, on port 12201

  3. Create Conditions
    Configuration: Alert is triggered when messages matching <source: "https://"> are received. Grace period: 0 minutes. Including last message in alert notification. Configured to repeat notifications.

  4. Create Notifications

    ##########
    Alert Description: {check_result.resultDescription} Date: {check_result.triggeredAt}
    Stream ID: {stream.id} Stream title: {stream.title}
    Stream description: {stream.description} Alert Condition Title: {alertCondition.title}
    {if stream_url}Stream URL: {stream_url}${end}

    Triggered condition: ${check_result.triggeredCondition}
    ##########

    {if backlog}Last messages accounting for this alert: {foreach backlog message.fields}${message.fields.status}

    {end}{else}
    ${end}

  5. Send information in JSON from site to Graylog.
    {
    “version”: “1.1”,
    “full_message”: {“data”: “message data”},
    “host”: “https://example.com”,
    “short_message”: “uid”,
    "_email": "j.doe@eample.com",
    "_step": “step_1”,
    "_status": “success”,
    "_agent": “empty”
    }

Context

I want to get the function that is in the greylogue out of the box.

I spent a lot of time looking for a solution to this problem, but I did not find it.

Your Environment

Graylog Version: v2.3.1+9f2c6ef
Elasticsearch Version: v. 5.5.1
MongoDB Version: v. 3.4.8
Browser version: Google Chrome 61.0.3163.91
Operating System: Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-1022-aws x86_64)
Cluster in Docker container:
Docker-compose Version: 1.13.0, build 1719ceb
Docker Version: 17.05.0-ce, build 89658be
Nginx Version: latest


(Jochen) #11

That’s not how the templating works. The backlog variable contains a collection of message objects which you have to iterate over.

Please take a look at the documentation as mentioned before:

Example:

{if backlog}
Last messages accounting for this alert:
{foreach backlog message}
Status: ${message.fields.status}
{end}
{else}
Empty backlog
${end}

(system) #12

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.