on Sep 22, 2008Is there a way I can display a message variable (like username or IP Address) in the "Message Text" defined in a correlation rule? I have built the correlation rule and it is firing as desired, but the user would like to have the username displayed in the Message Text that is generated from the correlation rule and displayed in the view, rather that having to drill down into the see the alert(s) that cause the rule to fire. Newbie here, so hope this makes sense.
I'd like to know how to do this also. The best I can tell, it can not be configured in the Alerts,Alert Configuration, Set Up Alert History, display options page. The closest you can get is identifying which columns you want and in what sort precendence you want them.
The feature/capability you're looking for is also a lot like what I was looking for in my post on Subject Lines for SMTP output actions, which can be found here.
As an alternative option for your question, I played around with trying to run custom reports off the Message field in the Alerts table, but there's no real good (reliable) way to elicit the username or IP address as a variable, since it could potentally be different each time, depending on the event ID and event source that generated the alert in the first place.
Good question though, thanks for posting.
ryan