GET log from access_log's apache to send email

Hi guys.
I'm using x-pack to alert when my website is attacked with access file "/etc/password". I created 1 watcher with bellow content

{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"logstash-*"
],
"types": [],
"body": {
"size": 0,
"query": {
"bool": {
"should": [
{
"match": {
"request": "/etc/passwd"
}
},
{
"match": {
"request": "/config"
}
}
],
"filter": {
"range": {
"@timestamp": {
"from": "now-5m",
"to": "now"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"from": "xxx@gmail.com",
"to": [
"yyy@gmail.com"
],
"subject": "Watcher Notification",
"body": {
"text": "WARNING: {{ctx.payload.hits.total}} access /etc/passwd"
}
}
}
}
}

I want to get IP address which accessed. but i can't get it. Please help me get information IP address and send it email in watcher.

You can access the hits in the ctx.payload.hits.hits array data structure and access the IP addresses. However, this data is a regular search and only contains the first 10 hits. You actually need an aggregation to the ip address field, and then use that output in your email.

So two steps to do:

  1. Change your search to have a terms aggregation on the IP address field.
  2. Change your text to loop through that aggregation using mustache template and return the bucket keys.

--Alex

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.