How to get data from watcher

tatdat · April 26, 2017, 9:12am

I ussing watcher for monitor User login to server. If have new login send email alert to user and admin server ( have already file username, clientip, ssh)
I have question.
For example, my input in watcher matched with 20 total hit.
How to send email to 20 user ? or another case , have 25 total hit matched , how to send email to 25 user ?

look like

 {
  "trigger" : {
    "schedule" : {
      "interval" : "1m"
    }
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "logs" ],
        "body" : {
          "query": {
            "bool": {
              "must": [
              {
                  "match": {
                    "type": {
                      "query": "ssh"
                    }
                  }
                },
                {
                  "match": {
                    "ssh_type": {
                      "query": "login_success"
                    }
                  }
                }
              ]
            }
          }
        }
      }
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total" : { "gte" : 1 }}
  }
  "actions" : {
  "notify-slack" : {
    "throttle_period" : "5m",
    "slack" : {
      "account" : "team1",
      "message" : {
        "from" : "watcher",
        "to" : [ "#admins", "@chief-admin" ],
        "text" : "System X Monitoring",
        "attachments" : [
        {
          "pretext": "Alert new login to server",
          "title" : "Server name (from field {{beat.hostname}})",
          "text" : "IP login, Usernamem, Time login",
          "color" : "#36a64f"
        }]
      }
    }
  }
  }
}

Thanks!

vovo · April 26, 2017, 11:24am

Hi,

You need to set the send mail function in the actions, like:

"actions": {
"send_email": {
"email": {
"to": "",
"subject": "",
"body": "",
"attachments": {
"attached_data": {
"data": {
"format": "json"
}
}
},
"priority": "high"
}
}
}

I hope this helps.
Vovo

tatdat · April 26, 2017, 4:20pm

thanks for suggestion,
i think slack and email are same .
And with ur mail function, it sent to one by one people, who in list matched 25 user ?

spinscale · April 29, 2017, 2:08pm

Hey,

you could extract the email addresses from the hits and join them with a command in the recipient address. However you can not send 25 different emails to 25 different recipients at the moment.

A better solution here would be to send the data to logstash using a webhook action and the logstash http input and do that over there.

--Alex

system · May 27, 2017, 2:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.