Categories
Software

Can I Send Graylog Alerts to Discord?

I’m using Discord to keep up with some technical discussion groups (e.g. TrueNAS and OBS) and I’ve even created a personal Discord server for my family. I’m also running Graylog for log aggregation of my home technology stack (switches, IP phones, Asterisk, Plex, Pihole, Router) and I was wondering if I could create automated alerts from Graylog to my Discord server? It is very timely as Graylog posted a blog entry just this past Friday on how to do this very thing. Now, before we go any further we need to be clear on what is required from a software perspective. You will need a working Graylog server version 4.0 or greater (I’m running version 4.0.5 on FreeBSD) and you will need to install and license the enterprise plug-in so that you can use the correlation engine. Don’t worry, the enterprise Graylog plugin is free for personal use under 5 GB of logs a day (I’m at like 400 Mb’s a day). You will also need a Discord server which are free to setup for personal use. Instructions for setting up Graylog can be found here and here.

Make sure you let your children know what you are up to.

Step 1: Inform Your Children

Children are super curious; they like to know when new network monitoring infrastructure is configured for your home network. I’ve found that a bit of subterfuge throws them off the scent.

Create a new #channel for your alerts

Step 2: In Discord, Setup a New Text Channel for Your Alerts (Optional)

This step is optional but useful if you want to separate alert content from your normal content in Discord. In your Text Channels menu for your Discord server (you must be the server owner or granted admin privs), you can click the plus icon to create a new text channel. I named mine graylog and defined a topic text. Click save. Please notice the Integrations menu item in the above graph. We will click on that next.

Add the Webhook which your Graylog server will call

Step 3: In Discord, Add a Webhook Integration

Within your text channel configuration you will see an Integrations menu item. Click Integrations and then click on Webhooks and New webhook.

You can add a unique icon to the automated messages

In the New Webhook dialog, you can name your webhook. I chose a descriptive name for this but yours can be more generic. Note the Channel the webhook will be in and you can copy the webhook URL (a url encoded string to your server). I got the Graylog icon from their Twitter feed @graylog2 account.

Graylog Event Definitions

Step 4: In Graylog, Add an Event Definition

In the Graylog Alerts menu, click Event Definitions and then the Create Event Definition button. I named my Event “SSHd Logon Open Too Long” to match to Graylog blog video which is linked at the start of this blog post. Click Next. I set the Condition Type to be “Event Correlation” and then set the Correlation rules to follow a sequence of events that are satisfied within 16 min. You can make it more or less but essentially I’m looking for SSH logins for more than 16 min.

The event rules you will correlate

I set Event #1 in the correlation to be the “SSHd Session Open” Event from my alerts. I added Event #2 and set it to “SSHd Session Closed” which SHOULD NOT OCCUR in the next 15 min. This means event #1 will fire and within 15 min a subsequent event #2 will not fire. The definition of those events will be covered later and is outside the scope of this article. click next.

Create a custom event field for the user_name

Step 5: Create Custom Event Field for User Name

Click Add Custom Field in the Fields item of the wizard. Set the name to user_name and click to make this a field key. Set the template to

template: ${source_user_name}

And make sure you do not click the value is required. Click Next.

Setup the Slack Notification (works with Discord as well)

Step 6: Setup the Notification to Discord

In the Notifications wizard item, click on the Add Notification button.

Add Notification dialog

Within Add Notification, you will set a descriptive title and description (I’ve again used the example they discussed in the Graylog blog video). You MUST select Notification type of Slack and you can change the highlight color. In the webhook URL field you will paste the URL copied from Step 3 above. Please append to the end of the Webhook URL “/slack” which will tell Discord this message has been formated for Slack and to handle that format type. You can specify the channel again and the custom message template. You can use your custom user_name filed in the message template. Click on the Execute Test Notification button to verify your test message is logged to Discord. Click Save and wait for your event notifications!