Is their any way which i can use to suppress watch alerts
I am using ELK AS A SIEM, and this seems to be a major problem as i get multiple alerts when ever watch condition gets true, for example if i am getting alerts from a watch for same host i need some mechanism which can intelligently suppress all alerts according to my given condition for suppression.... Like suppress all alerts for an hour if found same host and send a single alert with count.
Hey,
watches and their executionsare stateless and not connected with other watches. If you want to do that, you would need to implement that yourself. A possible way to do this (which admittantly is cumbersome), is to add a hostname field in the watch metadata, and then use a chained input, that queries the watch history for watches with this metadata and check if the condition was met. If this is the case, do not run the actions of this watch by checking this
The query would be sth like this
GET .watcher-history-*/_search
{
"query": {
"bool": {
"must": [
{
"range": {
"trigger_event.triggered_time": {
"gte": "now-1h",
"lte": "now"
}
}
},
{
"term": {
"metadata.host.keyword": {
"value": "my_host"
}
}
},
{
"term": {
"result.condition.met": {
"value": "true"
}
}
}
]
}
}
}
inside of each watch you could check if the above query has more than zero hits in your condition and only then trigger the watch.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.