Slack Webhook the message is the event name and the source is incorrect

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:
When an alert is send to slack instead of the log message it send the Event name.

2. Describe your environment:

• OS Information:
  Centos 7 , Docker-compse

• Package Version:
  Graylog 4.2.5
  graylog-integrations-plugins-4.2.0

• Service logs, configurations, and environment variables:
  These are the config I use + changed version to 4.2.5 and installed the integration plugin.
  GitHub - lephisto/pfsense-analytics: Pfsense Analytics w/ Graylog, Elasticsearch, InfluxDB and Grafana fully dockerized for Firewall and DPI..

The defualt slack configration:

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Event Fields:
${foreach event.fields field}
${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
${message.timestamp}  ::  ${message.source}  ::  ${message.message}
${message.message}
${end}${end}

The notification looks like this:

The message is the Title for the Event and the source is wrong.

Alert Title for this Event Definition, Events and Alerts created from it. triggered:
Custom Message:
--- [Event Definition] ---------------------------
Title:       Title for this Event Definition, Events and Alerts created from it.
Type:        aggregation-v1
--- [Event] --------------------------------------
Timestamp:            2022-01-26T12:31:49.000Z
Message:              Title for this Event Definition, Events and Alerts created from it.
Source:               1460f886a2de
Key:                  
Priority:             2
Alert:                true
Timestamp Processing: 2022-01-26T12:31:49.000Z
Timerange Start:      
Timerange End:        
Event Fields:
Show less

3. What steps have you already taken to try and solve the problem?
Google but not found anything about this.

4. How can the community help?

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

I tried to enable email now and it was the same behavior their.

What can I do ? Do you need any more information ?

Thanks!

Hello,

When posting configurations, Logs or commands please use the Markup so it will be easier to read, thanks…

Judging from your title "event name and the source is incorrect "

Two things on the source section

Source:               ${event.source}
Source of alert:      ${message.source}

Next, Event Name has a couple.

Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}

So you put that all together, you have this as shown below…

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}

Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}

Source of alert: ${message.source}

${end}
${end}

Hope that helps

Hi,

I might not have been clear.

When testing the alerting I look for a message when I connect to the VPN:
message:“openvpn: user ‘username’ authenticated”

When i then recive the alarm it looks like this:

image1426×876 90 KB

These two give incorrect values:

Message:              ${event.message}
Source:               ${event.source}

it should look like this?:

Message:              message:"openvpn: user 'username' authenticated"
Source:               openvpn

Thanks for reminding me about markup.

Hello,

Actual you were ,
But I appreciate the extra info.

Below it what you have.

What I tried to show you was the source as shown below…

Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
Source: ${message.source} <--- you might need this 
${end}
${end}

The Message: ${event.message}

You may need to do this Message: ${message.message}

Here is the completed configuration I was suggesting to you to try out.

--- [Event Definition] ---------------------------
Title:       ${event_definition_title}
Description: ${event_definition_description}
Type:        ${event_definition_type}
--- [Event] --------------------------------------
Timestamp:            ${event.timestamp}
Message:              ${event.message}
Source:               ${event.source}
Key:                  ${event.key}
Priority:             ${event.priority}
Alert:                ${event.alert}
Timestamp Processing: ${event.timestamp}
Timerange Start:      ${event.timerange_start}
Timerange End:        ${event.timerange_end}
Fields:
${foreach event.fields field}  ${field.key}: ${field.value}
${end}
${if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
${foreach backlog message}
Source:              ${message.source}
message:             ${message.message}
${end}
${end}

If you want to display openvpn: user username’ authenticated the ${event.message} is linked to the Title of the Event Definitions

What you might need to do is shown above in my example to achieve you goals. Perhaps give it a test, if it doesn’t work post here what happened. Also notice where my configuration adjustments are located.
Hope that helps

EDIT: From the configuration I showed you above here is the results. Perhaps is this what your looking for.

image1050×713 17.6 KB

Hi,

Added your config and it is still not sending the message.

Here is is a picture of the message:

image994×416 32.8 KB

Any ideas?

Hello,

I’m kind of confused, your not getting notifications or your receiving incorrect notifications?
​Not sure what you did but it helps showing your new configuration that was made and the output that was received.

The Source field does not look right, are you using any extractors on your input or perhaps pipeline?
​I see a field called utc_timestamp which make me think there is something else going on.
By chance are you using HTML in your Notifications?

To help you further we would need more information about your environment like Event Definition, input type configuration, etc… Any logs files that may pertain to this issue would be helpful.

What I posted above does work, its default with the added information about the source field, so I’m assuming at this point you have something else going on we don’t know about.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.