Email alert for message in tag

WarrenG · August 20, 2018, 12:38pm

Hi All

First try with emailing logs, I found this bit of information but im having issues working out how this would work for me.

    if "FOUND" in [message]  {
        email {
            from => "logstash_alert@company.local"
            subject => "logstash alert"
            to => "myemail@company.local"
            via => "smtp"
            body => "Here is the event line that occured: %{message}"
        }
    }

My problem is that "found" is around quite a lot, I only want the email if the word "FOUND" is in a specific logfile / tag

is that possible?

magnusbaeck · August 20, 2018, 12:46pm

Yes. If you have fields for the logfile you can just add that as a restriction in your condition.

if [filename] == "whatever" and "FOUND" in [message] {

WarrenG · August 20, 2018, 1:51pm

Hi Magnus

[root@develk01 conf.d]# cat 30-elasticsearch-output.conf
output {
 elasticsearch {
    hosts => ["localhost:9200"]
    sniffing => true
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
  if [filename] == "clamd.log" and "FOUND" in [message]  {
        email {
            from => "logstash_alert@xxx"
            subject => "logstash alert"
            to => "xxx@xxx"
            via => "smtp"
            body => "Here is the event line that occured: %{message}"
            domain => 'smtp.xxx'
            port => 25
        }
    }
}
[root@develk01 conf.d]

I then forced a run to create the log which showed up in Kibana, but no email. I also didnt see anything in the logstash logs, any idea what I have done wrong?

Logs from the server running the scan:

Starting ClamAV Scan at Mon 20 Aug 14:40:12 IST 2018
Mon Aug 20 14:45:35 2018 -> SelfCheck: Database status OK.
/home/adm-guerinw@xxx/test.virus: Eicar-Test-Signature FOUND

magnusbaeck · August 20, 2018, 1:55pm

What does the event that Logstash should've sent in an email look like? Copy/paste from Kibana's JSON tab.

Have you verified that email sending is working at all?

WarrenG · August 20, 2018, 1:56pm

I have not verified email sending is working at all, is there a link you can send on that explains that bit?

Thank you

WarrenG · August 20, 2018, 1:57pm

{
  "_index": "filebeat-6.3.2-2018.08.20",
  "_type": "doc",
  "_id": "yDGXV2UBVdeQSjnxZNoW",
  "_score": 1,
  "_source": {
    "offset": 113051,
    "source": "/var/log/clamd.log",
    "@timestamp": "2018-08-20T13:47:36.875Z",
    "input": {
      "type": "log"
    },
    "message": "/home/adm-guerinw@xxx/test.virus: Eicar-Test-Signature FOUND",
    "host": {
      "name": "devavdb01"
    },
    "beat": {
      "name": "devavdb01",
      "version": "6.3.2",
      "hostname": "devavdb01"
    },
    "prospector": {
      "type": "log"
    },
    "tags": [
      "clamav",
      "beats_input_codec_plain_applied"
    ],
    "@version": "1"
  },
  "fields": {
    "@timestamp": [
      "2018-08-20T13:47:36.875Z"
    ]
  }
}

magnusbaeck · August 20, 2018, 2:01pm

That event doesn't have a filename field so the conditional surrounding the email output is obviously never true. You do have a source field though.

WarrenG · August 20, 2018, 2:04pm

  if [source] == "/var/log/clamd.log" and "FOUND" in [message]

WarrenG · August 20, 2018, 2:05pm

or could I have:

  if [tag] == "clamav" and "FOUND" in [message]

magnusbaeck · August 20, 2018, 2:06pm

The existence of a tag is checked like this:

if "clamav" in [tags] ...

WarrenG · August 20, 2018, 2:17pm

Brilliant, I think this is a better error to have now!

[2018-08-20T15:14:51,727][ERROR][logstash.outputs.email   ] Something happen while delivering an email {:exception=>#<Errno::ECONNREFUSED: Connection refused - connect(2) for "localhost" port 25>}

Ill work on that one now.

Thank you for your help!

WarrenG · August 20, 2018, 2:36pm

Hi Magnus

do I have to use a local smtp, can I use an external SMTP server? I can connect on port 25 with no authentication to my external smtp.

Thank you

magnusbaeck · August 20, 2018, 7:09pm

Logstash can connect to any SMTP server.

WarrenG · August 21, 2018, 7:30am

Thanks Magnus, this is now working and I received an email last night, my config:

  if "clamav" in [tags] and "FOUND" in [message]  {
        email {
            from => "logstash_alert@xxx.com"
            subject => "logstash alert"
            to => "xxx@xxx.com"
            via => "smtp"
            body => "Here is the event line that occured: %{message}"
            address => "smtp.xxx.com"
            port => 25
        }
    }

Thank you

system · September 18, 2018, 7:30am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash email alerts dynamically from multiple log files Logstash	10	4465	July 6, 2017
Is the email plugin defunct in LS 2.1? Logstash	4	905	July 6, 2017
Logstash Email error : email - Something happen while delivering an email {:exception=>#<Net::SMTPAuthenticationError: Must issue a STARTTLS command first Logstash	3	1264	August 21, 2019
Kibana Email Alert Kibana elastic-stack-alerting	8	3473	July 1, 2022
eMail Notification via Logstash Logstash	2	1854	November 6, 2017

Email alert for message in tag

Related topics