Sending email alert automatically

Hello everyone,
Please i would be grateful if someone help me in " email alert " in the case of email alert in graylog 2.5, why the email does not send automaticcally when the action is triggered ….I receive the email if I do a " test alert "

You ask questions without offering background information.

  • What configuration do you have in your server.conf (located at /etc/graylog/server/ by default on my Ubuntu) file that is related to e-mail? (post it)
  • What is the configuration for the alert you are testing? (post it)
  • Have you tested to see if your e-mail server will send/receive e-mail coming from the Graylog server (Telnet from Graylog server to e-mail server port 25 and run commands to send a test e-mail)

Whenever you post a question, you should say what you have looked and and tried, show what your current related configs are and post relevant log entries.

1 Like

in centos 7 /etc/graylog/server/server.conf

I want to be notified automatically with email when there is a connection ssh failed to my VM zabbix


can i use AlertManager

Have you configured an alert condition or just the alert notification?

If you haven’t configured the alert condition, you won’t get an email because there is no alert being triggered.

1 Like

Hi @Ponet Yes, you’re right , check with me please if i well configured the alert condition

Are you sure that the failed authentication messages are being routed into the “alert zabbix” stream?

The example message screenshot you posted in an earlier reply only appears to be in the “All Messages” stream.

1 Like

In your example message, the field full_message doesn’t exist.

Try with the field set to message.

Yes… Notice the message in the second section “This message would not be routed to this stream.”

You need to update the stream rule. It is looking for “Failed password” in the field full_message. It isn’t going to match on your desired message because it doesn’t have a full_message field.

Update your stream rule to check the message field for the value “Failed password”.

1 Like

Could you expand a bit on that?

Look at the actual rule. "Field full_message must contain Failed password".

When that rule tests against your message, it evaluates to false because the message does not contain the field full_message. This means the message will not be routed into the stream.

Update that rule so that it is checking the message field.

Your rule should then say: "Field message must contain Failed password"

1 Like

so, please I have to edit there ??

Yes. Change the ‘Field’ value from full_message to message.

1 Like


No. Please re-read what I wrote.

This is very simple. I cannot explain any better than I already have.

sorry bro ! I change the field " Value " ??

Change the ‘Field’ value from full_message to message .

1 Like