I’m having some difficulty with displaying the actual syslog message string in the notification email that’s sent when an alert triggers. I’m lost on the “fields” portion of the event setup and that may be my issue. I think I’ve read that ${message.fields.full_message} needs to go in the backlog portion. Here’s my setup:
Filter & Aggregation
Type
Aggregation
Search Query
“Administrator login denied due to bad credentials”
Streams
redacted
Search within
5 minutes
Execute search every
1 minutes
Group by Field(s)
No Group by configured
Create Events if
count() >= 3
Fields
No Fields configured for Events based on this Definition.
Notifications
Settings
Grace Period is set to 1 minute 30 seconds
Notifications will not include any messages.
Sonicwall Login Failures
Email Notification
Less details
|Description|3 or more administrator login attempts detected in the past 5 minutes.|
— [Event Definition] ---------------------------
Title: {event_definition_title}
Description: {event_definition_description}
Type: {event_definition_type}
--- [Event] --------------------------------------
Timestamp: {event.timestamp}
Message: {event.message}
Source: {event.source}
Key: {event.key}
Priority: {event.priority}
Alert: {event.alert}
Timestamp Processing: {event.timestamp}
Timerange Start: {event.timerange_start}
Timerange End: {event.timerange_end}
Fields:
{foreach event.fields field} {field.key}: {field.value}
{end}
{if backlog}
--- [Backlog] ------------------------------------
Last messages accounting for this alert:
{foreach backlog message}
{message}
{message.fields.full_message}
{end}
{end}