Graylog Integration - Webhook [Error running Script in Trigger]

Hello,

I am running into an issue with the Graylog integration as documented under GitHub - jeanmorais/rocketchat-graylog-hook: Add Graylog alerts via a new WebHook in Rocket.Chat. The error that pops up through the logs is “Error running Script in Trigger” - “TypeError: Cannot read property ‘triggered_condition’ of undefined”.

Looking for pointers at this stage or if someone else has encountered the same issue. Worth noting that a “Curl” test or using a basic Powershell script to invoke the API works using a test integration.

Any help is appreciated.

Server Setup Information

• Version of Rocket.Chat Server: 4.6.2
• Operating System: Ubuntu 20.4
• Deployment Method:
• Number of Running Instances: 1
• DB Replicaset Oplog: wiredTiger (oplog Enabled)
• NodeJS Version: v14.18.3
• MongoDB Version: 4.2.17
• Firewalls involved: N/A

Below is the log captured at the time of Graylog attempting to send a webhook.

{"level":30,"time":"2022-04-24T01:33:21.190Z","pid":32448,"hostname":"RC-Server","name":"Integrations","section":"Incoming WebHook","msg":"Post integration:","name":"Graylog-Webhook"} 
{"level":30,"time":"2022-04-24T01:33:21.191Z","pid":32448,"hostname":"RC-Server","name":"Integrations","section":"Incoming WebHook","msg":"Will evaluate script of Trigger","name":"Graylog-Webhook"} 
{"level":50,"time":"2022-04-24T01:33:21.193Z","pid":32448,"hostname":"RC-Server","name":"Integrations","section":"Incoming WebHook","msg":"Error running Script in Trigger","name":"Graylog-Webhook","script":"var GRAYLOG_URL=\"https://Graylog-Server.com:9000\";var createPermalink=function(m,index){var label=index===0?\"Display complete message\":\"#\"+(index+1);return\"[\"+label+\"](\"+GRAYLOG_URL+\"/messages/\"+m.index+\"/\"+m.id+\")\"};var formatMessages=function(messages){var grouped=messages.reduce(function(acc,m){if(!acc.hasOwnProperty(m.message)){acc[m.message]=[]}acc[m.message].push(m);return acc},{});var result=[];for(var mType in grouped){if(grouped.hasOwnProperty(mType)){var line=\"*Message*: \"+mType+\"\<br>*Source*: \"+grouped[mType][0].source+\"\<br>\"+grouped[mType].map(createPermalink).join(\", \");result.push(line)}}return result.join(\"\<br>-------------\<br>\")};var parseText=function(result){if(result.matching_messages.length>0){return formatMessages(result.matching_messages)}else{return result.result_description}};var createAlertMessageEvent=function(result){return\":warning: *Alert*: \"+result.triggered_condition.title+\"\<br>\"+parseText(result)};var makeAttachment=function(text){return{text:text,color:\"#e8d612\"}};var Script=function(){function Script(){}var _proto=Script.prototype;_proto.process_incoming_request=function process_incoming_request(_ref){var request=_ref.request;return{content:{attachments:[makeAttachment(createAlertMessageEvent(request.content.check_result))]}}};return Script}();","err":{},"msg":"TypeError: Cannot read property 'triggered_condition' of undefined"} 
{"level":35,"time":"2022-04-24T01:33:21.194Z","pid":32448,"hostname":"RC-Server","name":"API","method":"POST","url":"/hooks/727d4cf65fd626491526f828/zyTEobhd78f7LWB5yKmpJuA8sG56SMgwJzHoTBss5XSkhApd","userAgent":"okhttp/3.14.6","length":"2209","host":"RC-Server.com:3000","remoteIP":"x.x.x.x","status":400,"responseTime":4}

Hi!

Can you share an example of the payload your graylog is sending? Can you confirm if it’s the same one you are using with curl?

The scripts renders the message based at the contents at request.content.check_result, so you need to first make sure the content it’s there and also sent with json headers as well.

A great way to debug this is to set your graylog to point to a website like https://webhook.site/ and match that with your curl command.

Also, if you want to help and/or get help, please, join us at our Community Support Channel

Thanks @dudanogueira, let me try the webhook.site and report back with the Graylog output.

When you say Rocket.Chat, what channel?

The link is already pointing to our #support channel

Hi!

I have sent a PR to the integration webhook script that will hopefully work with newer version of graylog:

Hello @dudanogueira !
I’ve tried your fix on Graylog 4.3 and unfortunately it doesn’t work(I just see empty notifications in RC), since message structure has been completely changed in the recent versions (Alerts)
I’ve collected new structure using webhook site you suggested.
Could you please take a look and suggest a fix?

{
  "event_definition_id": "NotificationTestId",
  "event_definition_type": "test-dummy-v1",
  "event_definition_title": "Event Definition Test Title",
  "event_definition_description": "Event Definition Test Description",
  "job_definition_id": "<unknown>",
  "job_trigger_id": "<unknown>",
  "event": {
    "id": "TEST_NOTIFICATION_ID",
    "event_definition_type": "notification-test-v1",
    "event_definition_id": "EventDefinitionTestId",
    "origin_context": "urn:graylog:message:es:testIndex_42:b5e53442-12bb-4374-90ed-0deadbeefbaz",
    "timestamp": "2022-07-08T07:13:32.199Z",
    "timestamp_processing": "2022-07-08T07:13:32.199Z",
    "timerange_start": null,
    "timerange_end": null,
    "streams": [
      "000000000000000000000002"
    ],
    "source_streams": [],
    "message": "Notification test message triggered from user <local:admin>",
    "source": "000000000000000000000001",
    "key_tuple": [
      "testkey"
    ],
    "key": "testkey",
    "priority": 2,
    "alert": true,
    "fields": {
      "field1": "value1",
      "field2": "value2"
    },
    "group_by_fields": {}
  },
  "backlog": []
}

Oh no!

I think I got the wrong version as the latest

This one is indeed the latest payload
https://docs.graylog.org/docs/alerts

But it should be pretty straightforward, as now it seems to only send one message per payload.

I will take a look on this later today and try to come up with a nice example. As I don’t use graylog, do you know what fields are the interesting ones to have at the message?

This is my first expirience with Graylog webhooks and I also can’t say for sure.
So far only message field comes to my mind
Probably backlog also should be considered, as it includes samples of previous logs triggered current notification, but so far I don’t even know how to trigger such notification

Hum.

Well, for starters, this script will deliver the message into the integration:

It is based at the example from here:

I will bookmark this here, and try to play around with graylog next week.

Maybe we could do a Rocket.Lab about it, what you think?

THanks!

Thanks a lot for the prompt response and your efforts!
I’m a bit confused, since I still receive empty message in RocketChat
Here is what I see in the log:

I20220709-14:59:10.376(0) Integrations ➔ Incoming WebHook.info Post integration: graylog 
I20220709-14:59:10.389(0) API ➔ info 37.48.76.140 - m8QsnPaBXcK7CNsfS [2022-07-09T14:59:10.389Z] "POST /hooks/qjLDsKD9Qs44Jv2qa/T2SYC2dchQzxRBKy4xf8PkLLpnNbrAPygMwkuX4mnsAYaasY" 200 - "undefined" "okhttp/3.14.6" |  

Could you please let me know what can be done for further analysis?

UPD:
My bad - I just missed “Enable Script” button, test notification is ok, checking further