Problem with filebeat and watcher

Hello,

I have a strange issue where i created a watcher alert. It was working well since last friday. For some reason, now that watcher send alert regarding the same event from 2018-12-14. I deleted and recreated the same watcher without success.

{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"filebeat-*"
],
"types": ,
"body": {
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-1m"
}
}
},
{
"match": {
"system.auth.sudo.user": "root"
}
},
{
"match": {
"source": "/var/log/secure"
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"notify-slack": {
"slack": {
"message": {
"from": "name",
"to": [
"#chat"
],
"text": "Sudo was run on {{ctx.payload.hits.hits.0._source.beat.name}}",
"attachments": [
{
"color": "danger",
"title": "Sudo was run by {{ctx.payload.hits.hits.0._source.system.auth.user}}",
"text": "Command: {{ctx.payload.hits.hits.0._source.system.auth.sudo.command}}\n When: {{ctx.payload.hits.hits.0._source.system.auth.timestamp}}\n Where: {{ctx.payload.hits.hits.0._source.system.auth.hostname}}"
}
]
}
}
}
}
}

Hey,

please take the time to properly format your messages using code snippets. You can use markdown here and it will greatly simplify reading your watch.

Can you explain what you mean with 'created without success'? Do you get an error message back? Also can you share the response of trying to save this watch? It is super important to share both.

Also, what version of Elasticsearch are you using?

Thanks!

--Alex

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.