Logging Action Watcher

RdrgPorto · March 30, 2017, 8:29am

Hi everyone,

I am using Elasticsearch, Kibana and Watcher with Shield. I am trying to create a watch in order to notify me in the Elastic's log if it finds an ip. In the Watcher History (index), I observe that the watch works, however, there is nothing in the log:

Here the watch:

curl -XPUT 'http://localhost:9200/_watcher/watch/test' -d '{"trigger":{"schedule":{"interval":"10s"}},"input":{"search":{"request":{"indices":["Test"],"body":{"query":{"bool":{"must":[{"term":{"host":"192.168.0.1"}},{"range":{"@timestamp":{"gt":"now-5m"}}}]}}}}}},"condition":{"compare":{"ctx.payload.hits.total":{"eq":0}}},"actions":{"log":{"logging":{"text":"Found"}}}}'

Moreover, it works if I create a email action (before I configured Shield for email). I have to configure any else in Shield in the case of "logging action"?

Thanks in advance,

Regards

spinscale · March 30, 2017, 8:14am

Hey,

there is no additional configuration for the logging action, when shield is enabled.

Which log did you check? You need to check the logfile of the master node. Did you do that? Have you changed your logging configuraiton and might be suppressing this message accidentally?

Also, I do not understand how you can use Elasticsearch 5.2.2 and Watcher 2.4 - does this mean you have a dedicated watcher cluster?

--Alex

RdrgPorto · March 30, 2017, 8:33am

Hi Alexander,

I didn't know that the message appears only in Master's log (it was my fault). Is there any way to log in all machines?. I asked this because in our actual configuration, I not have a concrete Master (I have several machines).

Regarding to my cluster, I made a mistake with the versions, actually I am using X-Pack (Elasticsearch, Kibana, Shield, Watcher).

Thanks,

Regards

spinscale · March 30, 2017, 9:10am

Hey,

there is no possibility to log this somewhere else. You can just use the index action and access that document across the cluster with a search as a workaround.

--Alex

RdrgPorto · March 30, 2017, 9:26am

Hi Alexandre,

I have a last question, do you know if there is any chance to execute a script as .sh or .py in the case of finding the ip (in this case) ?

Thanks in advance,

Regards

spinscale · March 30, 2017, 9:44am

Hey,

no there is not. The luckily enabled security manager in Elasticsearch forbids spawning new processes.

if you want to do something like that, send the data over to logstash using a webhook in watcher. You need the http input on the logstash side as well as the exec output.

See these links for more information:
https://www.elastic.co/guide/en/logstash/5.3/plugins-inputs-http.html
https://www.elastic.co/guide/en/logstash/5.3/plugins-outputs-exec.html

--Alex

system · April 27, 2017, 9:44am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.