Don't know if you found your problem, but if not, open an Active Channel with deviceEventClassId STARTSWITH notification, you will mostly see what the problem is with the events. That's how I debugged my custom email templates.

Hi Venkat,

The ArcSight field name are case sensitive. So, you need to make sure that the field names are mentioned properly.

Event Name: $event.name

Device: $introspector.getDisplayvalue($event, "deviceVendor")

Attacker User Name: $introspector.getDisplayValue($event, "attackerUserName")

Attacker Host Name: $introspector.getDisplayValue($event, "attackerHostName")

Attacker address: $introspector.getDisplayValue($event, "attackerAddress"))

Target User Name: $introspector.getDisplayValue($event, "targetUserName")

Target Address: $introspector.getDisplayValue($event, "targetAddress")

Try using the content that has been mentioned above.

Regards,

Anirudh

The second reply to your problem is correct in that "attackusername" needs to be "attackUserName" in your minimal.vm but also your conditional statement in Email.vm will never fire because when a rule fires, by default, has a deviceProduct of ArcSight, so deviceProduct =="Triton" will not be true. When you use the default Informative.vm, look through the email body that is sent, if a line reads Device Product: ArcSight, you need to aggregate the deviceProduct field from the event into your rule when you edit the rule. I hope this helps.

What tells you what is wrong in that active channel with the email?

The fact that you are not receiving any email notifications while using minimal.vm means that there is something wrong with the syntax within the file.

Try this :

## Minimal.vm is a Velocity macro file that serves as a sample template

## to demonstrate display of several fields in a notification email,

## using the Script Alias found in the online help under Data Fields.

## To change the event strings sent, use the values shown in the topic

## "Data Fields" found in Console online Help or Using the ArcSight Console.

Event Name: $event.name

Device: $introspector.getDisplayvalue($event, "deviceVendor")

Attacker User Name: $introspector.getDisplayValue($event, "attackerUserName")

Attacker Host Name: $introspector.getDisplayValue($event, "attackerHostName")

Attacker address: $introspector.getDisplayValue($event, "attackerAddress"))

Target User Name: $introspector.getDisplayValue($event, "targetUserName")

Target Address: $introspector.getDisplayValue($event, "targetAddress")

Further to some of the other contributes to this thread, you can usually see parsing errors for notification emails if you tail -f server.log on the manager.  You will see 'introspector error'.  Try tail -f server.log | grep notification

Seeing as this thread has some recent traffic... I have a similar problem with a customized template which worked for ESM 6.0 but no longer works for 6.5.

Tailing server.log and grepping for notification I discovered the following snippets (I apologize for the transcription errors):

[...notification.PendingAlert] Transport [Email] does not function properly

deactivating for 30000ms

Setting active state of Transport email to false

Email is temporarily diseased!, Not sending notifcation  <-- not a typo

AFAIK the content of the various templates is ok... certainly it used to work and now it does not. Next step will be to roll back to using Informative.vm and rebuild custom templates one line at a time, but I wanted to post and see if anyone has seen this before. I assume that grepping for "diseased" will be simple.

You have second bracket in $introspector.getDisplayValue($event, "attackerAddress")) must be like this

$introspector.getDisplayValue($event, "attackerAddress")