Email alert for message in tag

Elastic Stack Logstash
1

Hi All

First try with emailing logs, I found this bit of information but im having issues working out how this would work for me.

    if "FOUND" in [message]  {
        email {
            from => "logstash_alert@company.local"
            subject => "logstash alert"
            to => "myemail@company.local"
            via => "smtp"
            body => "Here is the event line that occured: %{message}"
        }
    }

My problem is that "found" is around quite a lot, I only want the email if the word "FOUND" is in a specific logfile / tag

is that possible?

2

Yes. If you have fields for the logfile you can just add that as a restriction in your condition.

if [filename] == "whatever" and "FOUND" in [message] {
2 Likes
3

Hi Magnus

[root@develk01 conf.d]# cat 30-elasticsearch-output.conf
output {
 elasticsearch {
    hosts => ["localhost:9200"]
    sniffing => true
    manage_template => false
    index => "%{[@metadata][beat]}-%{[@metadata][version]}-%{+YYYY.MM.dd}"
    document_type => "%{[@metadata][type]}"
  }
  if [filename] == "clamd.log" and "FOUND" in [message]  {
        email {
            from => "logstash_alert@xxx"
            subject => "logstash alert"
            to => "xxx@xxx"
            via => "smtp"
            body => "Here is the event line that occured: %{message}"
            domain => 'smtp.xxx'
            port => 25
        }
    }
}
[root@develk01 conf.d]

I then forced a run to create the log which showed up in Kibana, but no email. I also didnt see anything in the logstash logs, any idea what I have done wrong?

Logs from the server running the scan:

Starting ClamAV Scan at Mon 20 Aug 14:40:12 IST 2018
Mon Aug 20 14:45:35 2018 -> SelfCheck: Database status OK.
/home/adm-guerinw@xxx/test.virus: Eicar-Test-Signature FOUND
4

What does the event that Logstash should've sent in an email look like? Copy/paste from Kibana's JSON tab.

Have you verified that email sending is working at all?

5

I have not verified email sending is working at all, is there a link you can send on that explains that bit?

Thank you

6 
{
  "_index": "filebeat-6.3.2-2018.08.20",
  "_type": "doc",
  "_id": "yDGXV2UBVdeQSjnxZNoW",
  "_score": 1,
  "_source": {
    "offset": 113051,
    "source": "/var/log/clamd.log",
    "@timestamp": "2018-08-20T13:47:36.875Z",
    "input": {
      "type": "log"
    },
    "message": "/home/adm-guerinw@xxx/test.virus: Eicar-Test-Signature FOUND",
    "host": {
      "name": "devavdb01"
    },
    "beat": {
      "name": "devavdb01",
      "version": "6.3.2",
      "hostname": "devavdb01"
    },
    "prospector": {
      "type": "log"
    },
    "tags": [
      "clamav",
      "beats_input_codec_plain_applied"
    ],
    "@version": "1"
  },
  "fields": {
    "@timestamp": [
      "2018-08-20T13:47:36.875Z"
    ]
  }
}
7

That event doesn't have a filename field so the conditional surrounding the email output is obviously never true. You do have a source field though.

8 
  if [source] == "/var/log/clamd.log" and "FOUND" in [message]
9

or could I have:

  if [tag] == "clamav" and "FOUND" in [message]
10

The existence of a tag is checked like this:

if "clamav" in [tags] ...
11

Brilliant, I think this is a better error to have now!

[2018-08-20T15:14:51,727][ERROR][logstash.outputs.email   ] Something happen while delivering an email {:exception=>#<Errno::ECONNREFUSED: Connection refused - connect(2) for "localhost" port 25>}

Ill work on that one now.

Thank you for your help!

12

Hi Magnus

do I have to use a local smtp, can I use an external SMTP server? I can connect on port 25 with no authentication to my external smtp.

Thank you

13

Logstash can connect to any SMTP server.

14

Thanks Magnus, this is now working and I received an email last night, my config:

  if "clamav" in [tags] and "FOUND" in [message]  {
        email {
            from => "logstash_alert@xxx.com"
            subject => "logstash alert"
            to => "xxx@xxx.com"
            via => "smtp"
            body => "Here is the event line that occured: %{message}"
            address => "smtp.xxx.com"
            port => 25
        }
    }

Thank you

15

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.