Hi guys.
I'm using x-pack to alert when my website is attacked with access file "/etc/password". I created 1 watcher with bellow content
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"logstash-*"
],
"types": ,
"body": {
"size": 0,
"query": {
"bool": {
"should": [
{
"match": {
"request": "/etc/passwd"
}
},
{
"match": {
"request": "/config"
}
}
],
"filter": {
"range": {
"@timestamp": {
"from": "now-5m",
"to": "now"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"from": "xxx@gmail.com",
"to": [
"yyy@gmail.com"
],
"subject": "Watcher Notification",
"body": {
"text": "WARNING: {{ctx.payload.hits.total}} access /etc/passwd"
}
}
}
}
}
I want to get IP address which accessed. but i can't get it. Please help me get information IP address and send it email in watcher.