Email alert per sourceip

Elastic Stack Elasticsearch
1

we created one watcher having multiple sourceip so that whenever the watcher matches the messages it will send email alert.

Will it be possible that the watcher having multiple sourceip will send multiple email alerts base on the sourceip that matches the message filter instead of having one email alerts only for all sourceip.

2

Welcome, @ianvera! Would you mind sharing your watch definition? That will help me better answer your question. Thanks!

3

Hi Alison,

Thank you for responding, appreciate it.

I have attach here the watch definition that we created.

Actually this is for our monitoring and alerting, that everytime the watcher runs it will search for messages per sourceip and send the log details in email per sourceip or per HOST that is actually the logic that we wanted. actually we prefer hostname to be mentioned in the email alert not the IP.

Hope you could assist us, since we were just new to ELK and watcher.

Eventually this alerts will be push to BigPanda.

Thanks in advance, looking forward to hearing from you.

Best regards,

Edward Ian Vera

(Attachment AIX_POC_Watcher_Multiple_Search_IP_err_syslog_ng.txt is missing)

4

Hi Alison,

Thank you for responding, appreciate it.

I have attach here the watch definition that we created.

Actually this is for our monitoring and alerting, that everytime the watcher runs it will search for messages per sourceip and send the log details in email per sourceip or per HOST that is actually the logic that we wanted. actually we prefer hostname to be mentioned in the email alert not the IP.

Hope you could assist us, since we were just new to ELK and watcher.

Eventually this alerts will be push to BigPanda.

Thanks in advance, looking forward to hearing from you.

please see below.

{
"trigger": {
"schedule": {
"interval": "15m"
}
},
"input": {
"search": {
"request": {
"body": {
"size": 200,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-5m"
}
}
},
{
"terms": {
"SOURCEIP": ["10.411.123.11","10.411.123.12","10.412.123.13","10.412.123.14","10.511.123.17","10.611.123.18","10.812.123.19","10.811.123.20"]}
}],
"should": [

{
"match_phrase": {
"message": "| notice | syslog-ng"
}
},
{
"match_phrase": {
"message": "| err | syslog-ng"
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"attachments": {
"attached_data": {
"data": {
"format": "json"
}
}
},
"to": [
"edward_ian_vera@manulife.com"
],
"subject": "ELK AIX JP POC server test alert",
"body": {
"html": "

AIX err syslog-ng test alert, I/O error occurred while writing; fd='17', error='No space left on device. If the problem persists, please contact your system administrator (Test Only)</h3>

Saved Search</td><cf_org_name: asitd>{{ctx.watch_id}}</td></tr>
Query</td> +( Syslog connection failed; fd='12', error='Connection timed out)</td></tr>
Triggered time</td> {{ctx.trigger.triggered_time}}</td></tr>
Hostname</td> {{ctx.payload.hits.HOST}}</td></tr></table>
History for this Watch</a>

Latest hit msg</h3>{{ctx.payload.hits.hits.0._source.msg}}

All hits</h3>{{ctx.payload.hits.hits}}"
}
}
},
"throttle_period_in_millis": 90000
}

Best Regards.
5

Thanks for sharing more information @ianvera! Watch actions support a foreach field. I have not tested it, but it sounds like that might help you achieve sending multiple emails per source IP.

6

Thanks Alison for the feedback, BTW do you have a sample format of the foreach in the watch action.

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.