Use extracted field as email alert recipient

kkplein · October 3, 2019, 10:32am

Hi!

We love graylog, thank you for making it available!!

Have setup an extractor to extract “ad_username” from authentication failures. Now we want to setup an alert for more than X authentication failures in a row, to alert the end user. So, as an alert recipeint, we are trying to use the extracted username, like: ad_username@company.com

However, the “ad_username” is kept, rather then being replaced by the actual username, so the email is sent to ad_username@company.com which of course does not work.

We tried: ${ad_username}@company.com, $${$ad_username}@company.com, {$ad_username}@company.com, etc, all with similar result.

Is what we are trying to do possible? FYI: graylog 2.4 (yes, we need to upgrade)

jan · October 4, 2019, 8:25am

he @kkplein

such a request is not possible. It would be a feature request over at github. But that will be never get a backport to that version you are using.

kkplein · October 4, 2019, 8:39am

Hi Jan,

Aha, not possible now, good to know I’m not missing something. I will submit a feature request, and of course I understand that it would not be ported to our old version. We have to upgrade anyway, and that is fine. Just haven’t done it yet.

Thanks for the reply!

jan · October 4, 2019, 9:17am

system · October 18, 2019, 9:17am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog 3.1 using extractor in email subject Graylog Central (peer support)	5	417	November 1, 2019
Best practice - unwanted field extraction Graylog Central (peer support)	7	1328	January 19, 2022
Sshd field username Graylog Central (peer support)	3	2158	June 26, 2017
Extracting string from a mesage Graylog Central (peer support)	2	694	February 15, 2022
Extractor catch next occurence Graylog Central (peer support)	3	428	July 13, 2018

Use extracted field as email alert recipient

Related Topics