Need Help Configuring Alert Actions to Include Log Data in OpenSearch

Gsmitt · April 10, 2024, 2:08am

Correct me if I’m wrong, but you would like more details about the alert in the Notification sent?

Example:
I found that adding this to my query

 "exists": {
"field": "winlog.event_data.SubjectUserName",
"boost": 1
}

Then I would add that field to my Message section…

Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
  - Trigger: {{ctx.trigger.name}}
  - Severity: {{ctx.trigger.severity}}
  - Period start: {{ctx.periodStart}}
  - Period end: {{ctx.periodEnd}}
 -  username: {{_source.winlog.event_data.SubjectUserName}}

Email Results:

> 2 
>  gsmith.domain.com
>  greg.smith

This post might help.

Topic		Replies	Views
How to include message fields in the Alert Action Message for Per query monitor Alerting discuss	6	1311	April 9, 2024
Unable to access Documents Fields (Per Document Monitor Alerts) Alerting	2	155	November 5, 2024
Opensearch alerting -text message in action OpenSearch alerting	2	559	October 26, 2023
How do i include message fields in the Alert Action Message Alerting configure	20	7027	October 19, 2023
Per Document monitor alert that includes Document findings OpenSearch alerting	2	108	August 15, 2024

Need Help Configuring Alert Actions to Include Log Data in OpenSearch

Related topics