I have created a watch to look for a keyword sudo on a index syslog and send email alert. No problem, works as expected.
Now I need update the watch to look for the same keyword at /var/log/secure file instead of whole Index. Currently all the syslog files are writing to the same index syslog.
Can someone help me to do it?
Here is my current watch look like:
{
"trigger": {
"schedule": {
"interval": "1h"
}
},
"input": {
"search": {
"request": {
"indices": [
"syslog*"
],
"body": {
"query" : {
"filtered" : {
"query" : {
"match_phrase" : {
"message": " sudo:"
}
},
"filter" : {
"range" : {"@timestamp" : {"gte" : "now-1h"}}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 1
}
}
},
"actions": {
"send_email": {
"email": {
"to": "watch_alerts@domain.com",
"subject": "[Test - sudo Watch] Found {{ ctx.payload.hits.total }} sudo commands",
"body": "Found sudo commands. Total logins: {{ ctx.payload.hits.total }} \nYou may need to update this body the way you want it.",
"attach_data": {
"format": "json"
}
}
}
}
}