How to update a watch to look for KEYWORD on a FILE instead of WHOLE INDEX?

alerting

(Robert Thanulingam) #1

I have created a watch to look for a keyword sudo on a index syslog and send email alert. No problem, works as expected.

Now I need update the watch to look for the same keyword at /var/log/secure file instead of whole Index. Currently all the syslog files are writing to the same index syslog.

Can someone help me to do it?

Here is my current watch look like:

{
"trigger": {
"schedule": {
"interval": "1h"
}
},
"input": {
"search": {
"request": {
"indices": [
"syslog*"
],
"body": {
"query" : {
"filtered" : {
"query" : {
"match_phrase" : {
"message": " sudo:"
}
},
"filter" : {
"range" : {"@timestamp" : {"gte" : "now-1h"}}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 1
}
}
},
"actions": {
"send_email": {
"email": {
"to": "watch_alerts@domain.com",
"subject": "[Test - sudo Watch] Found {{ ctx.payload.hits.total }} sudo commands",
"body": "Found sudo commands. Total logins: {{ ctx.payload.hits.total }} \nYou may need to update this body the way you want it.",
"attach_data": {
"format": "json"
}
}
}
}
}


(Alexander Reelsen) #2

Hey,

this depends solely depends on the your data model and if additional data, like the file path you are searching for, have been indexed and are searchable.

So the question is, do you index the required data in order to extend the query? If so you can extend your the query part of the filtered query to be a bool query with two must clauses.

Hope this helps.

--Alex


(system) #3