How to create alert for multiple login attemps (failed attempts) for every 10mins

Vishnu_mk · May 10, 2019, 8:48am

This is my watcher configuration:
PUT _xpack/watcher/watch/my-watch2
{
"trigger" : {
"schedule" : {
"interval" : "10s"
}
},
"input" : {
"search" : {
"request" : {
"indices" : [
"firewall"
],
"body": {
"size": 1,
"query" : {
"bool" : {
"must": [
{
"term": {
"msg": {
"value": "Login Failed"
}
}
}
],
"filter" : {
"range": {
"@timestamp": {
"from": "{{ctx.trigger.scheduled_time}}||-10",
"to": "{{ctx.trigger.triggered_time}}"
}
}
}
}
}
}
}}
},
"actions" : {
"email_admin" : {
"email" : {
"to" : "vishnumk@company.com",
"subject" : "Priority : High State : Down ",
"body": {
"text": "hi"
}
}
}
}
}

Please guide me I am getting error in the watcher section.

spinscale · May 10, 2019, 11:27am

Please take your time and properly format your messages. This makes it impossible to parse the JSON due to the missing indentation. You can use markdown here, so please make use of that.

Also, please take the time to properly write up your use-case. Are referring to multiple login attempts per user or in total or from one IP?

The next step after correctly specifying what you are after is actually not to write a watch, but to come up with a query that answers your question. Only if that is done, you can actually think about writing a watch around that.

Also check out the examples repo

Hope this helps as a start!

system · June 7, 2019, 11:40am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.