Team, we have slack integrated and we are using it for sending alerts to multiple slack channels. currently we created few new channels and slack alerts are not being received in those channels. same watcher is sending alerts to remaining other channels properly.
Any clue on this part?
Which version of the Elastic stack are you running?
Do you have kibana logs from the time when these message should be sent?
hi matt, its 7.4.2.. All my watcher alerts are working fine.. even i am able to send slack alerts to multiple slack channels together.. its just 2-3 specific channel which are not receiving these alerts... logs shows channel not found..
adding to it, i am successfully able to send slack alerts to both public and private channels except those 2-3 channels
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"vpn-*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 1,
"query": {
"bool": {
"must": ,
"filter": [
{
"bool": {
"filter": [
{
"bool": {
"should": [
{
"match": {
"Event ID": "globalprotectportal-auth-fail"
}
}
],
"minimum_should_match": 1
}
}
]
}
},
{
"range": {
"@timestamp": {
"from": "now-1m",
"to": "now"
}
}
}
],
"should": ,
"must_not":
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1
}
}
},
"actions": {
"notify-slack": {
"throttle_period_in_millis": 300000,
"slack": {
"account": "team1",
"message": {
"to": [
"@vidit.mathur",
"siem-infosec-alerts"
],
"text": "{{ctx.payload.hits.hits.0._source.Device Name}}: {{ctx.payload.hits.hits.0._source.Description}}"
}
}
},
"send_email": {
"email": {
"profile": "standard",
"from": "elk@xyz.com",
"to": [
"vidit.mathur@xyz.com"
],
"subject": "CF: VPN Login Failure Alert",
"body": {
"text": "{{ctx.payload.hits.hits.0._source.Device Name}}: {{ctx.payload.hits.hits.0._source.Description}}"
}
}
}
}
}
You config looks good.
Have you tried recreating the slack webhook?
you mean slack webhook which we place in elasticsearch.yml? we have 1 placed since long.. and currently we are already sending slack alerts to multiple channel. so i dont think we need to update slack webhook url
Its possible that its a permissions issue with the slack api. Perhaps the existing webhook had permission to post to the previous set of channels but not the new channels.
yes.. i am suspecting the same.. any idea on how it can be fixed or do we again need to create new webhook?
I might be overlooking it, but I don't see a way to edit a slack webhook. I think you need to create a new one.
You can check the watcher history or run the Execute Watch API and share that output to see, what the HTTP call to slack has returned. This should ease debugging a bit.
1 Like
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.