Hello,
can anybody show me example how to create a notification (email, slack...) when Auditbeat notice changes in files?
I've elasticsearch from elastic.co with installed auditbeat on the server, all works fine. But I want to have notification when new file was added on the server.
Thank you.
Hey Hubert,
Your best bet is to use Watcher. Watcher is not specific to Auditbeat, however.
With Watcher, you can define any type of query that should generate a notification, based on an Elasticsearch query or a cluster status. Then you specify your preferred notification method via the Watcher "Actions". Can be an email or a webhook, for example.
Cheers
Mat
Yes, I know that I can use this tool. But how to write this scripts? Could you provide any example?
I want to fetch one query every 5 minutes and if any exist, send the result via Slack/Mail.
There are full examples, including the full API call to create the watch, in the Example Watches section. Scroll down to "The complete watch looks like this".
Then you'll need to adjust that example to target your auditbeat indices, the frequency and time ranges, and finally which output you want to use (the example actually uses email).
Note that all of this process lives in Elasticsearch. You don't need a script per se.
The API call you see (PUT _xpack/watcher/watch/...) can be performed directly from Kibana, in the "Dev Tools" section.
This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.