Can watcher run a local script as an Action?

alerting

(Symon Thurlow) #1

I have salt running on the same host as Watcher. I have setup a watch for a specific log entry, and am currently emailing when they occur. I want to run a salt command when this log entry appears, which will interact with a Windows server and restart a service. The Watcher element is triggering, and the salt command line element works, but how do I glue them together? I


(Alexander Reelsen) #2

Hey,

as Elasticsearch uses the java security manager to actually lock down what it is allowed to be executed by the JVM (as well as further security features like seccomp, which prevents forking processes).

What you could do however is using the logstash exec output in combination with the http input:

input {
  http {
    host => "127.0.0.1"
    port => 1234
  }
}

output {
  stdout {
    codec => rubydebug
  }
  exec {
    command => "iptables -A INPUT -s %{message} -j DROP"
  }
}

And have a watch sending data to the logstash input

PUT _watcher/watch/logstash_event_watch
{
  "trigger": {
    "schedule": {
      "interval": "10s"
    }
  },
  "input": {
    "search": {
      "request": {
        "indices": "test-index",
        "body": {
          "query": {
            "match_all": {}
          }
        }
      }
    }
  },
  "actions": {
    "logstash_exec": {
      "webhook": {
        "method": "POST",
        "host": "localhost",
        "port": 1234,
        "path": "/{{watch_id}}",
        "body": "{{ctx.payload.hits.hits[0].clientip}}"
      }
    }
  }
}

Note: Written on top of my head, so may require refinement! Needs validation, that the hits array is not empty etc...

--Alex


(system) #3