There was one small, but important change made to Log Insight 3.6 that impacted the behavior of user alerts versus previous releases. Read on to learn more!
Prior to Log Insight 3.6, if you enabled a user alert over email then the subject would be in the format:
[Log Insight] <number> new events found for alert: <alert_name>
As you can see, that is a lot of prefix to get to the alert name and for most people besides the alert name only the Log Insight part was important. The long prefix may also result in you not being able to see the alert name in your inbox. As such, now the subject format defaults to:
<alert_name>
While this solves the primary problem, and allows you to add “Log Insight” to the alert name if you desire, it is a change in behavior. If you happen to be doing email scraping of Log Insight alerts — then it is time to consider webhooks — based on the subject then your script may no longer work. The recommendation would be to update your existing scripts to leverage the new subject format, but in worst case I have a COMPLETELY UNSUPPORTED workaround to revert the behavior — note this workaround may not exist post 3.6:
- Go to /internal/config
- Select “Show all settings”
- Search for “use-old-email-subject”
- Change the value to “true”
- Select Save
© 2016, Steve Flanders. All rights reserved.