Hi there,
i have made an alert rule like this using elasticsearch query:
i set the action to write the alert to kibana.log
Here is the message and query:
{
"query":{
"bool": {
"filter": [
{
"script": {
"script": {
"source": "boolean lt(Supplier s, def v) {return s.get() < v} boolean gte(Supplier s, def v) {return s.get() >= v}lt(() -> { def wer = doc['tls.certificate_not_valid_after'].value.millis;\r\ndef wes = doc['@timestamp'].value.millis;\r\ndef was = wer - wes;\r\n\r\nreturn was / 1000 / 60 / 60 / 24; }, params.lt) && gte(() -> { def wer = doc['tls.certificate_not_valid_after'].value.millis;\r\ndef wes = doc['@timestamp'].value.millis;\r\ndef was = wer - wes;\r\n\r\nreturn was / 1000 / 60 / 60 / 24; }, params.gte)",
"params": {
"lt": 30,
"gte": 1,
"value": "<30 >=1"
},
"lang": "painless"
}
}
}
],
"should": [],
"must_not": []
}
}
}
From what i have set, the result will be like this:
{"type":"log","@timestamp":"2023-03-02T15:16:33+07:00","tags":["warning","plugins","actions"],"pid":1653,"message":"Server log: Warning Detected expire cert *.apps.ocp-nprod.testing.co.id From Issuer CoreCA is expiring Cert Expire 2023-04-01T02:43:50.000Z Tags: manual-renew;Warning Detected expire cert system:node:ocpwndapp1 From Issuer kube-csr-signer_@1676023668 is expiring Cert Expire 2023-03-12T10:07:48.000Z Tags: auto-renew;Warning Detected expire cert api.ocp-nprod.testing.co.id From Issuer kube-apiserver-lb-signer is expiring Cert Expire 2023-03-25T03:16:44.000Z Tags: auto-renew;"}
i also created an alert rule using uptime tls and here is the message and result :
{"type":"log","@timestamp":"2023-03-01T14:30:28+07:00","tags":["warning","plugins","actions"],"pid":1653,"message":"Server log: Warning Detected TLS-Certificate api.ocp-nprod.testing.co.id from issuer kube-apiserver-lb-signer is expiring. Certificate expires on Mar 25, 2023 in 23 days. . ;- Tags: "}
{"type":"log","@timestamp":"2023-03-01T14:30:28+07:00","tags":["warning","plugins","actions"],"pid":1653,"message":"Server log: Warning Detected TLS-Certificate system:node:ocpwndapp1 from issuer kube-csr-signer_@1676023668 is expiring. Certificate expires on Mar 12, 2023 in 11 days. . ;- Tags: "}
fyi, there are two cert detected that will expire soon. as you can see the result from elasticsearch query is one line log whereas the result from uptime tls is two lines of log. each detected cert has it's own log line.
so my question is, is it possible to make elasticsearh query result to be like uptime tls above? i'm using elk v7.17.0
Thanks