New to ES - Simple watcher does not work like i want

Hi there,

Im trying to configure what seems to be a really easy watcher but can't get it to work like i want it to. I'm trying to alert if a fail login occurs on one of our Windows Server or a Linux server. Here's my watcher:

PUT _xpack/watcher/watch/Security_CheckFailLoginWindows
{
"trigger": {
"schedule": {
"hourly" : { "minute" : 0 }
}
},
"input": {
"search": {
"request": {
"indices": ["qa-*"],
"body": {
"query": {
"bool": {
"must": [{
"query_string": {
"query": "An account failed to log on"
}
},
{
"range": {
"@timestamp": {
"gte": "now-60m"
}
}
}]
}
},
"aggs": {
"hostname": {
"terms": {
"field": "Hostname"
}
}
}
}
}
}
},
"actions" : {
"notify-slack" : {
"throttle_period" : "5m",
"slack" : {
"account" : "alerting",
"message" : {
"from" : "ES Watcher",
"to" : ["#channelhere"],
"dynamic_attachments": {
"list_path": "ctx.payload.aggregations.hostname.buckets",
"attachment_template": {
"color": "danger",
"pretext": "Fail login on following Windows host in the last hour",
"title": "{{Fail login encountered}}",
"text": "{{key}}"
}}
}
}
}
}
}

It actually post on slack but it shows more fail login than it actually should. What you see above should be searching for occurrences in the last hour right? And should post results from the last hour only. Does my watcher too complicated for nothing? Aggregation is needed ? I'm really new to ES and I'm trying to get this working using online documentation

I'm trying to achieve this :

Post in slack : X number of fail login on following Windows host in the last hour: Hostname

Hey,

please test your query outside of watcher and see what it returns. Your query is not a phrase query and might use an OR combination for each term, possibly exploding your results.

--Alex

[Fixed it] - field "hostname" was not aggregatable. So used another field and changed my query from :slight_smile:
"query": {
"bool": {
"must": [{
"query_string": {
"query": "An account failed to log on"

to

"query": {
"bool": {
"must": [
{
"query_string": {
"analyze_wildcard": true,
"query": ""An account failed to log on""
}

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.