PingSentry   |   Blog   |   System32   |   GitHub   |   Free tools

How do I customize the email subject or body of an alert?

Article ID: 409
Category: Configuration
Updated: 2019-09-25

Event log alerts can often by cryptic and difficult to understand, especially when alerts need to be interpreted by non-technical staff. EventSentry makes it easy to simplify complex alerts by letting you completely re-write the content.

For example, the following potentially complex event log message, event 4688:

A new process has been created.

Creator Subject:
Security ID: DOMAINX\john.doe
Account Name: john.doe
Account Domain: DOMAINX
Logon ID: 0x1EBA26

Target Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Process Information:
New Process ID: 0x1d9c
New Process Name: C:\Program Files (x86)\WinMerge\WinMergeU.exe
Token Elevation Type: TokenElevationTypeLimited (3)
Creator Process ID: 0x1200
Process Command Line: "C:\Program Files (x86)\WinMerge\WinMergeU.exe"

could be simplified in an email alert to read as follows:

User *DOMAINX\john.doe started process C:\Program Files (x86)\WinMerge\WinMergeU.exe on host LAPTOP50

This is possible by utilizing insertion strings (shown in bold) that are utilized in all Microsoft security events and many others. The sentence above can be completely customized, and by reviewing the event definition of event 4688 we can see that insertion strings %1 and %6 are needed to build the custom message. EventSentry uses $STR followed by the number to refer to insertion strings, and $HOSTNAME always refers to the host where the event was logged:

User $STR1 started process $STR6 on host $HOSTNAME

The event message can be customized in the event log filter that is being used to forward an event to an action, and since the customization will almost always apply to a specific event (id), you will need to create a new filter for the event.

  1. Open the management console and either find an existing event log package to add this new filter rule to, or create a new event log package.
  2. Make sure the package is assigned correctly or set it global if the filter rules should apply to all hosts in your network.
  3. Create a new event log filter that matches the event you are customizing:
  4. Assign an action to the event log filter.
  5. Click the Advanced button to override the email subject and/or message
  6. In the Email / Network Action Override specify a custom subject and/or message
Event Log Filter with custom email message

Links:


Support Resources

Knowledge Base Knowledge Base
Documentation Documentation
Screenshot Screencasts
Blog Blog

Contact Support

Phone 1-877-NETIKUS
Email support@netikus.net

Tags

alerts