${logging_alert.messages_url} with multiple streams

airbus-cyber / graylog-plugin-logging-alert

Alert notification plugin for Graylog to generate log messages from alerts

Other

24 stars 3 forks source link

${logging_alert.messages_url} with multiple streams #4

Closed frantz45 closed 4 years ago

frantz45 commented 5 years ago

When we create a rule "OR", "AND", "THEN" with the wizard, it uses multiples streams. However the variable ${logging_alert.messages_url} only contains the first stream. It would be nice to also deal with the second stream. For example with a "OR" rule you have to create a search request like this:

stream:aaaaaaaaaaaaaa OR stream:bbbbbbbbbbbb

If the rule uses split fields:

(stream:aaaaaaaaaaaaaa OR stream:bbbbbbbbbbbb) AND split_fields1:xxx AND split_fields2:yyy

tomasnk commented 4 years ago

For the rule "AND" and "THEN" the messages_url contain the both streams, for the "OR" rule only the stream used. Logging alert version 2.1.2.