Incorrect stream ID in ${stream_url} and ${check_result.triggeredCondition} of alert notification

[eduault]

Expected Behavior

The URL written in alert notifications using the ${stream_url} variable is incorrect.

The URL is http://ip/streams/5b8cf9d461d4970cb039a5c4/search?from=2018-10-08T06%3A21%3A19.173Z&q=%2A&rangetype=absolute&to=2018-10-09T06%3A21%3A19.173Z

It leads to an error page with this message:

Could not retrieve Stream
Loading Stream failed with status: Error: cannot GET http://ip:9000/api/streams/5b8cf9d461d4970cb039a5c4 (404)

But the stream ID '5b8cf9d461d4970cb039a5c4' in the URL does not exist ! I checked that it doesn't exist using Graylog REST API Browser as an administrator. (http://ip:9000/api/streams)

Idem for the ${check_result.triggeredCondition} variable in the email template of the alert notification. Triggered condition: ..., stream:={5b8cf9d461d4970cb039a5c4: ...

This stream ID '5b8cf9d461d4970cb039a5c4' does not exist !

Current Behavior

The URL written in alert notifications using the ${stream_url} should be correct. Idem for the stream ID in the ${check_result.triggeredCondition} variable.

Possible Solution

Fix the values of the ${stream_url} and the ${check_result.triggeredCondition} variables in the email template of the alert notification.

Steps to Reproduce (for bugs)

1. Create an alert condition on a stream
2. Create an alert notification by email, with the default template, which includes the ${stream_url} and the ${check_result.triggeredCondition} variables.
3. Receive an email when the alert condition is reached
4. In a browser, authenticate as administrator and open the URL provided in the email
5. It leads to an error page with this message:

   Could not retrieve Stream
   Loading Stream failed with status: Error: cannot GET http://ip:9000/api/streams/5b8cf9d461d4970cb039a5c4 (404)

Context

I discovered this issue using Graylog in my company (I'm the administrator).

Your Environment

• Graylog Version: 2.4.6+ceaa7e4, codename Wildwuchs
• JVM: Oracle Corporation 1.8.0_172 on Linux 3.13.0-153-generic
• Elasticsearch Version: Version: 5.6.3 (provided with Graylog AMI)
• MongoDB Version: v3.4.9 (provided with Graylog AMI)
• Operating System: Ubuntu on AWS (Linux graylog 3.13.0-153-generic #203-Ubuntu SMP Thu Jun 14 08:52:28 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux)
• Browser version: Firefox, on a Windows PC in a business environment (proxy + firewall + security tools ...)

[jalogisch]

Did you use the default notification template or did you use your own created template for the notification?

[no-response[bot]]

This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further.

[eduault]

I used the default notification template.

[jalogisch]

he @eduault

did you have this error permanent or just with one kind of notification? In addition is the Stream UUID always the same or totally wrong for every stream?

[eduault]

• I had this error every time the alerts conditions were met.
• In my Graylog server, there are alerts conditions defined on only one stream (that I added).

I used alerts conditions of "Message Conditional Count Alert Condition" type (using graylog-plugin-alert-conditional-count-0.0.2 plugin).

[bernd]

The old alerting system is gone and the new events and alerts system works a bit differently so this issue can be closed.