Script arguments for script notification

Graylog Central (peer support)
1

Hi everyone,

I’m not sure if this belongs in this topic. If not let me know and i’ll open it again where it belongs

I’m trying to send info to a ticketing platform using script notification. I’m using python and i made it work as i wanted but now i’m facing a problem because i don’t understand how to send the message, the source IP and the input where it came

I’ve been researching and it looks like i have to do something with event definitions. But i don’t know what to do
Please any information will be very much appreciated

If i need to provide more information about what i need please let me know.

Thank you in advance for your time

2

I believe you can accomplish this using ‘Fields’ section when editing an event definition:

image
image1285×79 11.8 KB

It can be confusing so i’m including an example in the screenshot below. The summary is you can define additional ‘fields’ to be included as part of the alert message. The ‘template’ format is ${source.}. For source_ip it would be ${source.source_ip}

image
image748×681 37.2 KB

Hope that helps.

3

Good morning Drew,

I really appreciate your reply. I’ve try that and worked perfectly :smiley:
Is there any way to take that into script notifications? Can i call that ${source.x} from scripts or do i need to do something else?

Again, thank you for your time and response
Hope you’re having a good day

4

I did some testing and found that you can pass “fields” as a script ${event.fields.<fieldName>}

Here is an example:

In the event definition, defining the field (as shown in my previous post, but adding here for clarity):

image
image956×241 21.5 KB

In the script notification configuration page:

image
image830×520 31.6 KB

Lastly, in case this is helpful (because it really helped me understand how to use the variables in the script arguments) here is a sample output that is sent to the script. I’ve formatted it as json:

{
    "id":"01H5QBSSVCE4WNR15NANXBCKDZ",
    "event_definition_type":"aggregation-v1",
    "event_definition_id":"64b7fdf80053d956a1f556df",
    "origin_context":"urn:graylog:message:es:gl_pfsense_0:c09aad80-2647-11ee-b30a-02423eedda53",
    "timestamp":"2023-07-19T15: 20: 11.000Z",
    "timestamp_processing":"2023-07-19T15: 20: 21.100Z",
    "timerange_start":null,
    "timerange_end":null,
    "streams":[],
    "source_streams":[
        "6467ac711936e865130a6763"
    ],
    "message":"TEST script args with message fields",
    "source":"hplap",
    "key_tuple":[],
    "key":"",
    "priority":2,
    "alert":true,
    "fields":{
        "event_action":"allowed"
    },
    "group_by_fields":{},
    "replay_info":{
        "timerange_start":"2023-07-19T15: 19: 15.249Z",
        "timerange_end":"2023-07-19T15: 20: 15.249Z",
        "query":"application_name:filterlog",
        "streams":[
            "6467ac711936e865130a6763"
        ]
    }
}

each of these fields is accessible using the {$event.fieldName} notation. notice some data is nested such as the fields key.

5

Good evening Drew,

Sorry for the late reply i’ve been busy putting out a few fires in my office
Once again thank you for your time and help. This seems to be working perfectly but now i have another problem.

The field that contains the error log string seems to not be delimited by " so when i parse the arguments to my script it fails
Is there any way around this? Can i add " to the field in some way?

Thank you again for your help
I hope you have a wonderful week

6

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.