I have been trying to get a simple field match condition watcher to work without success. I've combed the forums, combined advice I found here, worked with Support, all to no avail. So I figured I'd post and see if others have gotten this to work.
I am trying to do the following... if TERM appears in a log message within the last 1 minute trigger an alert.
Here is what I've had happen so far.
The watcher finds the term in a log message and triggers an alert in the elasticsearch.log file every minute from now till the end of time regardless of the age of the alert. It appears to completely ignore the time range constraint.
While working with Support I was told to add a compare statement with the appropriate time range to stop it from firing every minute forever and just fire if the event happened in the last minute. With the compare statement the Watcher does not generate an alert ever, even if the event is in the index and within the 1 minute time range.
This is the current state of the watcher.
{
"trigger": {
"schedule": {
"interval": "1m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"wazuh-alerts*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"term": {
"data.cmd": {
"value": "contentfile"
}
}
}
],
"filter": [
{
"range": {
"timestamp": {
"gte": "now-1m",
"lt": "now"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.execution_time": {
"gte": "<{now-1m}>"
}
}
},
"actions": {
"log": {
"logging": {
"level": "info",
"text": "Mickey Test non-repeating log action at {{ctx.execution_time}}"
}
}
}
}
I am open to any advice.