Hi,
I would like to add 'hostname' in email subject or body whenever i get 'Failed authentication error' in log messages. I have created an index and it has data for 3 servers. So whenever we see auth error in logs, i would like to send email alert with hostname.
{
"trigger": {
"schedule": {
"interval": "24h"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"kafka-broker-sac1*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must": [],
"filter": [
{
"match_all": {}
},
{
"match_phrase": {
"message": {
"query": "Failed authentication with"
}
}
},
{
"range": {
"@timestamp": {
"from": "now-30m",
"to": "now"
}
}
}
],
"should": [],
"must_not": []
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 30
}
}
},
"actions": {
"email_admin": {
"email": {
"profile": "standard",
"attachments": {
"attached_data": {
"data": {
"format": "json"
}
}
},
"to": [
"xxx@xxx.com"
],
"subject": "Failed authentication error recently encountered on kafka-broker-sac1",
"body": {
"text": "{{ctx.payload.hits.total}} Errors have occured in the logs:{{_source.message}}"
}
}
}
}
}
Below is one example of log message-
@timestamp Mar 30, 2021 @ 09:25:33.903
@version 1
_id oR70g3gBr9_-7IbXZO9p
_index kafka-broker-sac1-nonprod-aws-2021.03.30
_score -
_type _doc
agent.ephemeral_id 91a9e58c-3347-4753-b8db-5568ab3d9475
agent.hostname kafka300006
agent.id 2774444d-da99-407a-bedb-8e20fa124a5a
agent.name kafka300006
agent.type filebeat
agent.version 7.9.3
ecs.version 1.5.0
environment.name dev
host.name ed1vebkfk300006
input.type log
log.file.path /var/log/kafka/kafka.log
log.offset 5,929,558
message [2021-03-30 09:25:33,135] INFO [SocketServer brokerId=1001] <mark>Failed</mark> <mark>authentication</mark> with /10.216.1.169 (Authentication failed: Invalid username or password) (org.apache.kafka.common.network.Selector)
tags beats_input_codec_plain_applied
top.ingest_latency 1
top.ingest_method beats
top.ingest_time Mar 30, 2021 @ 09:25:35.009
top.message_size 719