[REQ] Help to customize the body of the email Alarm Notification

Good morning,
I need some help to customize the body of the email that graylog sends me in case a certain event occurs.
I’m testing with Suricata 6 which sends match logs of its signatures to Graylog.
I proceeded to create some extractors using the Regular expression function, now part of the message has been split.
At the moment the email body is configured as default.

I use Graylog v4.2.7+879e651

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message}
${end}

Below I show you an example of a log that I receive from Suricata 6 cleaned of sensitive data.

2022-03-24 08:03:01.211 +01:00	XXXXXXXXXXX
2022-03-24T08:03:00.671491+0100 Source IP: XXX.XXX.XXX.XXX:XXXX Destination IP: XXX.XXX.XXX.XXX:XXXX protocol: TCP signature: ET POLICY XXXXXXXXXXXXXXXXXXXXXXXXXXXXt
 XXXXXXXXXXXXXXXXXXXXXXXXXXX

Timestamp
    2022-03-24 08:03:01.211
Received by
    appliance-syslog-udp on 

     xxxxxxxxx / xxxxxxxx
Stored in index
    graylog_358
Routed into streams

        All messages
        Alert Level 2

application_name
    XXXXXXXX
destip
    XXX.XXX.XXX.XXX
facility
    user-level
facility_num
    1
isSynced
    0
level
    2
message
    2022-03-24T08:03:00.671491+0100 Source IP: XXX.XXX.XXX.XXX:XXXX Destination IP: XXX.XXX.XXX.XXX:XXXX protocol: TCP signature: ET POLICY ET POLICY XXXXXXXXXXXXXXXXXXXXXXXXXXXX
signature
    ET POLICY XXXXXXXXXXXXXXXXXXXXXXXXXXXX
source
    XXXXXXXXXXX
sourceip
    XXX.XXX.XXX.XXX
timestamp
    2022-03-24 08:03:01.211 +01:00
tzKnown
    1

At the moment with the default configuration I get an email that includes all the message field in a single body,
I would like you to get a more readable email as in the example below.

--- [Event Definition] ---------------------------
Title:       Alert Event Level 1
Description: Alert Event Level 1
Type:        aggregation-v1
--- [Event] --------------------------------------
Timestamp:            2022-03-23T09:14:06.128Z
Message:              Alert Event Level 1
Source:               XXXXXX
Key:
Priority:             3
Alert:                true
Timestamp Processing: 2022-03-23T09:14:06.128Z Timerange Start:
Timerange End:
Fields:

Source: 	source
Source Ip:	sourceip
Destination Ip:	destip
Signature:	signature

--- [Backlog] ------------------------------------
Last messages accounting for this alert:

{index=graylog_385, message=XXXXXXXXXXXXXXXXXXX}

Obviously the syntax is incorrect, what I would like to add to the default is to have the fields separated as indicated below.

Source: 	source
Source Ip:	sourceip
Destination Ip:	destip
Signature:	signature

Could anyone help me change the syntax?
Thanks in advance.

Alessio

Hello,

you can access the fields with message.

For example:

Source: ${message.source}

Thanks for the answer.
I already did, but I probably added that string in the wrong place in the template.

I modified the template as follows, but only the Signature field is filled with the extracted data, the other three fields in the received email remain empty.
See [Backlog] code.

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message}
Source: 	${message.source}
Source Ip:	${message.sourceip}
Destination Ip:	${message.destip}
Signature:	${message.signature}
${end}
${end}

Hi,

the formatting seems right. Please check the received message from your mail with the message at graylog for the missing fields. Are they there? Are they empty?

Checking the email received:

Source: $ {message.source} - The field contains the data
Source ip: $ {message.sourceip} - The field is empty
Destination IP: $ {message.destip} - The field is empy
Signature: $ {message.signature} - The field is empty

The values in the log on graylog appear regularly, they are present.

I tried to request only the field below:
Source Ip: $ {message.sourceip}
Blank result.
I imagine at this point that the data is not found in message.sourceip but that he has to search for it elsewhere since souceip is a data obtained from the main message through the use of an extractor with regular expression option

Try adding in .fields and perhaps it’s ${message.message}

${foreach backlog message}
   ${message.message}
   Source: 	           ${message.source}
   Source Ip:	       ${message.fields.sourceip}
   Destination Ip:     ${message.fields.destip}
   Signature:          ${message.fields.signature}
${end}

Tnx, now work perfectly !!!

Problem solved
Now I understand the correct syntax
Thank you

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.