Push notification from Elasticsearch to Microsoft teams via Logstash pipeline

niveditakathal · November 30, 2022, 2:03pm

Hi All,

I want to send some notifications from Elasticsearch to Microsoft teams via logstash pipeline.

Based on my knowledge, I should use http output plugin to connect to Microsoft teams and push notification under message over Microsoft teams url.

Did anyone already try to connect to Microsoft teams via logstash? if yes, could you please share the dummy configuration?

Thanks in advance!
Nivedita

niveditakathal · December 8, 2022, 1:02pm

Hi Experts,

Could you please assist me to solve non-2xx HTTP code 400 error from Logstash pipeline while trying to push messages to microsoft incoming webhook?

Error

[2022-12-08T13:44:01,967][ERROR][logstash.outputs.http    ][main][c684bc194c4f1c4ab57680cfda35dc1471748cdad7df3329ac1a1dbc556fcb1b] Encountered non-2xx HTTP code 400 {:response_code=>400, :url=>"https://Dummy.webhook.office.com/webhook.....", :event=>#<LogStash::Event:0x75587351>}

Logstash pipeline

input {
        elasticsearch
        {
        hosts => "https://localhost:443"
        user => "logstash-reader"
        password => "password"
        index => "*-test"
        query => '{ "query": {
                             "bool": {
                                      "must": [{"terms": { "kibana.alert.severity": [ "high", "low","Critical","medium"] }} ],
                                      "filter": [ {"range": {"@timestamp": { "gte": "now-30d"}}}]
                                     }
                             }
                  }'
        schedule => "/2 * * * *"
        size => 500
        scroll => "5m"
        docinfo => true
        docinfo_target => "[@metadata][doc]"
        codec => "json"
        }
    }



filter {
mutate   {
        add_field => {
           # "alertHostName" => "%{[host][hostname]}"
            "msg" => "An alert with %{kibana.alert.severity} severity is occurred on %{[host][hostname]} at %{kibana.alert.original_time} because %{kibana.alert.reason}"
         }
        remove_field => ["kibana.alert.original_time","@version","kibana.alert.reason","kibana.alert.severity", "version", "@timestamp", "kibana.version", "kibana.alert.rule.category", "kibana.alert.rule.consumer", "kibana.alert.rule.execution.uuid", "log_TimeStamp", "kibana.alert.rule.name", "kibana.alert.rule.producer", "kibana.alert.rule.rule_type_id", "kibana.alert.rule.uuid", "kibana.space_ids","kibana.alert.rule.tags","agent", "process","message","ecs","data_stream","elastic","host","user",  "group","event.agent_id_status","event.sequence","event.ingested","event.created","event.kind","event.module","event.action","event.id","event.category","event.type","event.dataset","kibana.alert.ancestors","kibana.alert.status","kibana.alert.workflow_status","kibana.alert.depth","kibana.alert.risk_score","kibana.alert.rule.parameters","kibana.alert.rule.actions","kibana.alert.rule.author","kibana.alert.rule.created_at","kibana.alert.rule.created_by","kibana.alert.rule.description","kibana.alert.rule.enabled","kibana.alert.rule.exceptions_list","kibana.alert.rule.false_positives","kibana.alert.rule.from","kibana.alert.rule.immutable","kibana.alert.rule.interval","kibana.alert.rule.license","kibana.alert.rule.max_signals","kibana.alert.rule.note","kibana.alert.rule.references","kibana.alert.rule.risk_score_mapping","kibana.alert.rule.rule_id","kibana.alert.rule.severity_mapping","kibana.alert.rule.threat","kibana.alert.rule.timestamp_override","kibana.alert.rule.to","kibana.alert.rule.type","kibana.alert.rule.updated_at","kibana.alert.rule.updated_by","kibana.alert.rule.version","kibana.alert.rule.risk_score","kibana.alert.rule.severity","kibana.alert.original_event.agent_id_status","kibana.alert.original_event.sequence","kibana.alert.original_event.ingested","kibana.alert.original_event.created","kibana.alert.original_event.kind","kibana.alert.original_event.module","kibana.alert.original_event.action","kibana.alert.original_event.id","kibana.alert.original_event.category","kibana.alert.original_event.type","kibana.alert.original_event.dataset","kibana.alert.uuid"]
    }
#json {source => "msg"}
 }

output {
 stdout {  }
http {
    http_method => "post"
    url => "https://dummy.webhook.office.com/webhookb2/........."
    format => "json"
    content_type => "application/json"
 }
}

output from stdout

{
    "tags" => [
        [0] "_jsonparsefailure"
    ],
     "msg" => "An alert with medium severity is occurred on Dummy-DEV at 2022-11-10T08:16:04.370Z because process event with process php-fpm7.4, parent process php-fpm7.4, by root on Dummy-DEV created medium alert Whitespace Padding in Process Command Line."
}

Thanks in advance
Nivedita

niveditakathal · December 8, 2022, 1:40pm

Fixed - changed

         } ``` to 
``` "text" => "An alert with %{kibana.alert.severity} severity is occurred on %{[host][hostname]} at %{kibana.alert.original_time} because %{kibana.alert.reason}"
         }```

system · January 5, 2023, 1:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.