I have a doubt in making a custom beat that reads or monitors the state of a file, example:
In a server, a file is within the Inbound folder if stays the file for more than 5 minutes in this folder and doesnt move to the processed folder then the beat send like an alert or something.
Is this possible to achive? If yes, can you give some hints or where to start?
I hope that i have explained myself. Thanks in advance!
You could probably do this with a combination of Auditbeat watching the files, and then Alerting to find files don't have a matching move record within the 5 minute window.
File Integrity Module | Auditbeat Reference [8.2] | Elastic and examples/Alerting/Sample Watches/new_process_started at master · elastic/examples · GitHub should get you started.
@warkolm's solution is also what I was thinking. You could probably aggregate on the file names (assuming they are unique) and then do a sub-aggregation on the event.action field. Then alert an any file whose event.action agg does not contain created and moved.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.