Hi there,
Im trying to configure what seems to be a really easy watcher but can't get it to work like i want it to. I'm trying to alert if a fail login occurs on one of our Windows Server or a Linux server. Here's my watcher:
PUT _xpack/watcher/watch/Security_CheckFailLoginWindows
{
"trigger": {
"schedule": {
"hourly" : { "minute" : 0 }
}
},
"input": {
"search": {
"request": {
"indices": ["qa-*"],
"body": {
"query": {
"bool": {
"must": [{
"query_string": {
"query": "An account failed to log on"
}
},
{
"range": {
"@timestamp": {
"gte": "now-60m"
}
}
}]
}
},
"aggs": {
"hostname": {
"terms": {
"field": "Hostname"
}
}
}
}
}
}
},
"actions" : {
"notify-slack" : {
"throttle_period" : "5m",
"slack" : {
"account" : "alerting",
"message" : {
"from" : "ES Watcher",
"to" : ["#channelhere"],
"dynamic_attachments": {
"list_path": "ctx.payload.aggregations.hostname.buckets",
"attachment_template": {
"color": "danger",
"pretext": "Fail login on following Windows host in the last hour",
"title": "{{Fail login encountered}}",
"text": "{{key}}"
}}
}
}
}
}
}
It actually post on slack but it shows more fail login than it actually should. What you see above should be searching for occurrences in the last hour right? And should post results from the last hour only. Does my watcher too complicated for nothing? Aggregation is needed ? I'm really new to ES and I'm trying to get this working using online documentation
I'm trying to achieve this :
Post in slack : X number of fail login on following Windows host in the last hour: Hostname
