I want to create a rule in kibana that checks if there is a new ip address (like in the picture) in the log file and sends an alert to mail if there is a new one
You should implement an ingest/Logstash pipeline to parse out the IP address to index the IP address into a separate field and use that field for your alerting purposes.
Another option will be to create a runtime field by using
Do I need to use Logstash ? because I couldn't send logs from filebeat to logstash instead I'm sending logs from filebeat to elastic directly.
Yes you can use an ingest pipeline to parse that log, grok works with ingest pipelines as well you could have a nicely parse log without logstash
You will need to do that first and then when you have that ... I suspect you would use a detection for new IPs... get that parsed and then come back and open a very specific topic.
"Alert on New IP Address" or something like that your current title is way too vague and the right people will not look at it.
Thanks for your response, next time I will make sure to pick a good title to my question.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.