I have an alert and notification in Graylog that sends me a slack message when one of my systems runs Alsible pull. (Pulled from Sys Logs)
I do not need a fancy or in depth message, just that X host has run. Here is my custom message.
${foreach event.fields field}
${field.key}: ${field.value} ran ansible at ${event.timestamp}
${end}
I also have a custom field set up under the alert as
template: “${source.source}”require_values: true