I have one application that I need to monitor which sends the same logs until that error is not resolved. Now, I need to send a notification to Slack when this particular error occurs.
Consider these two sample logs:
{"@timestamp":"2020-07-31T18:04:23.924Z", "syslog5424_msg":"System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure."}
{"@timestamp":"2020-07-31T18:04:25.194Z", "syslog5424_msg":"System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure."}
The app I need to monitor sends the above logs with having timestamp difference of a few seconds, and if I send a stream of logs to slack, the channel will flood witch this alert.
What I'm trying to achieve is send an alert every 30 sends, for that, I'm thinking to take the timestamp difference between two logs, and if their difference is 30 sec send alert to slack else send it to Elasticsearch.
My question is how do I keep track of previous log timestamp, I'm aware of the fact that logstash reads logs in-stream, so is it possible to store the timestamp of the previous log and compare it with the current log?
filter{
if [syslog5424_msg] =~ /(System.Security\.Authentication\.AuthenticationException:\sThe\sremote\scertificate\sis\sinvalid\saccording\sto\sthe validation\sprocedure\.)/{
mutate {
add_tag => ["Slack"]
}
}
}
output {
if "Slack" in [tags] {
http {
http_method => "post"
url => "https://hooks.slack.com/services/xxx/xxx/xxx"
format => "message"
message => '{ "channel": "alerts", "text":"warning" }'
}
}