"body": "{{#toJson}}payload{{/toJson}}"
this must be (in hook tornado2)
"body": "{{#toJson}}ctx.payload{{/toJson}}"
the logging message you shared above still references {{payload.hits.totals}} instead of {{ctx.payload.hits.totals}}
Hi @spinscale
I change the watcher following your note but the result of the message is the same
"msg": "Watcher Notification Encountered {{ctx.payload.hits.totals}} failed logon from user {{ctx.payload.hits.hits.0._source.winlog.event_data.TargetUserName}}.",
The watcher is here
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"winlogbeat-*"
],
"types": [],
"body": {
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "now-5m",
"to": "now"
}
}
},
{
"match": {
"winlog.event_id": "4625"
}
}
]
}
},
"aggs": {
"users": {
"terms": {
"field": "winlog.event_data.TargetUserName.keyword",
"size": 10
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 10
}
}
},
"actions": {
"my-logging-action": {
"logging": {
"level": "info",
"text": "Watcher Notification Encountered {{ctx.payload.hits.total}} failed logon from user {{#ctx.payload.hits.hits.0}}{{_source.winlog.event_data.TargetUserName}}{{/ctx.payload.hits.hits.0}}."
}
},
"hook-tornado": {
"webhook": {
"scheme": "http",
"host": "localhost",
"port": 8080,
"method": "post",
"path": "/event/webhook-elastic",
"params": {
"token": "123"
},
"headers": {},
"body": "{{#toJson}}ctx.payload{{/toJson}}"
}
},
"hook-tornado2": {
"transform" : {
"script" : "def payload = ctx.payload; payload.msg = 'Watcher Notification Encountered {{ctx.payload.hits.totals}} failed logon from user {{ctx.payload.hits.hits.0._source.winlog.event_data.TargetUserName}}.'; return payload;"
},
"webhook": {
"scheme": "http",
"host": "localhost",
"port": 8080,
"method": "post",
"path": "/event/failed-passwords",
"params": {
"token": "abc"
},
"headers": {},
"body": "{{#toJson}}ctx.payload{{/toJson}}"
}
}
}
}
And the output is here
https://jsonblob.com/16e29212-9102-11e9-959d-1337d0458def
Thank you
Franco
sorry, I misread your scripting. The issue here is that you cannot use mustache within painless.
You need to do something like this in a painless script to concatenate strings (or you are using mustache again to create strings and only painless to provide the proper data structures).
"script": "def payload = ctx.payload; payload.msg = 'Watcher Notification Encountered ' + ctx.payload.hits.total + ' failed logon from user ' + ctx.payload.hits.hits[0]._source.winlog.event_data.TargetUserName+ '.'; return payload;"
Do you give me an example that could do a concatenate of string in this watcher?
Thank you
Franco
if you keep using {{toJson}} in the body I think the above approach is the most suitable one.
Thank you @spinscale. I hope to have understand. I test it in the next days and I give you a feedback.
I see that I use wrong concatenate string in my script
"script" : "def payload = ctx.payload; payload.msg = 'Watcher Notification Encountered {{ctx.payload.hits.totals}} failed logon from user {{ctx.payload.hits.hits.0._source.winlog.event_data.TargetUserName}}.'; return payload;"
instead of your script code
"script": "def payload = ctx.payload; payload.msg = 'Watcher Notification Encountered ' + ctx.payload.hits.total + ' failed logon from user ' + ctx.payload.hits.hits[0]._source.winlog.event_data.TargetUserName+ '.'; return payload;"
At the end I set again
"body": "{{#toJson}}payload{{/toJson}}"
Because in the transform I return payload
See you soon
Franco
Great @spinscale!!!!
Now it's ok, I tried it.
I will start this week with this new knowledge 
Thank you
Franco
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.