Multiple aggregates in Watcher configuration logging output

Hello,

I need help regarding logging text of the Watcher alert. I've created a Watcher in elastic-search with the following configuration:

{
  "trigger": {
    "schedule": {
      "interval": "30m"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "auditbeat*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 1,
          "query": {
            "bool": {
              "must": [],
              "filter": [
                {
                  "match_all": {}
                },
                {
                  "match_phrase": {
                    "event.action": {
                      "query": "user_login"
                    }
                  }
                },
                {
                  "match_phrase": {
                    "event.type": {
                      "query": "authentication_failure"
                    }
                  }
                },
                {
                  "range": {
                    "@timestamp": {
                      "format": "strict_date_optional_time",
                      "gte": "now-12h",
                      "lte": "now"
                    }
                  }
                }
              ],
              "should": [],
              "must_not": []
            }
          },
          "aggs": {
            "user_name": {
              "terms": {
                "field": "user.name",
                "size": 30
              }
            },
            "host_name": {
              "terms": {
                "field": "host.name",
                "size": 30
              }
            },
            "source_ip": {
              "terms": {
                "field": "source.ip",
                "size": 30
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "compare": {
      "ctx.payload.hits.total": {
        "gte": 5
      }
    }
  },
  "actions": {
    "log_hits": {
      "logging": {
        "level": "info",
        "text": "text": " Total {{ctx.payload.hits.total}} failed logins. Hostname: {{#ctx.payload.aggregations.host_name.buckets}} {{key}}: {{/ctx.payload.aggregations.host_name.buckets}}, and Source IP: {{#ctx.payload.aggregations.source_ip.buckets}} {{key}}: {{/ctx.payload.aggregations.source_ip.buckets}}"
      }
    }
  }
}

Output of this alert is following:

"logged_text": " Total 16 failed logins. Hostname: mailserver1: mailserver2: mailserver3: mailserver4: mailserver5: mailserver6: mailserver6: , and Source IP: 192.168.36.160: 192.168.18.115: "

Currently using my configuration, it is printing all host_name and then all source_ip.

How can I modify the watcher to use aggregates as host_name1 source_ip1, host_name2, source_ip2....? for example:

"logged_text": " Total 16 failed logins. Hostname: mailserver1: Source IP: 192.168.36.160 mailserver2: Source IP: 192.168.36.160 mailserver3: Source IP: 192.168.36.160 mailserver4: Source IP: 192.168.18.115: mailserver5: Source IP: 192.168.18.115: mailserver6: Source IP: 192.168.18.115: mailserver6: Source IP: 192.168.18.115:"

You need to use a transform to change the data to your needs, in this case merging ip/name together.

Also you may want to do this on index instead of query time to speed things, for example with an ingest pipeline.

1 Like