Watcher and Microsoft Teams webhook

Hi there,

I would like to use watcher UI to send messages to a microsoft teams webhook.
However, when I send a notification, on my firewall, I find "tcp-rst-from-server". I do not understand why.
how could I fix this problem?

Hey,

I do not know the exact error message from your firewall, but it looks either as if there is no service listening on that port or if your firewall is resetting the TCP connection making it look like there is no service listening.

Can you maybe try curl or another http client on the system you are running elasticsearch and see if you can reach the endpoint manually without invoking watcher?

--Alex

Hi,

Thank you for your quick answer!

I already tried to send a http post request with Posteman to the same webhook and it works fine.
I tried curl and it returns me "Bad payload received by generic incoming webhook."

Lucas

running postman means you are not running that request from the host where elasticsearch is running?

can you share the output of the execute watch API for that watch?

I ran Postman on another host but the curl I ran was on the same host as the elasticsearch.

Here is the output of th execute watch API :

curl -X POST "IPaddress:9200/_watcher/watch/MY_WATCH/_execute?pretty"
{
"_id" : "MY_WATCH",
"watch_record" : {
"watch_id" : "MY_WATCH",
"node" : "YD6L9JmOQh6tQPLkTa7bDQ",
"state" : "executed",
"status" : {
"state" : {
"active" : true,
"timestamp" : "2019-10-11T13:19:31.808Z"
},
"last_checked" : "2019-10-11T13:20:03.434Z",
"last_met_condition" : "2019-10-11T13:20:03.434Z",
"actions" : {
"webhook_1" : {
"ack" : {
"timestamp" : "2019-10-11T13:20:03.434Z",
"state" : "ackable"
},
"last_execution" : {
"timestamp" : "2019-10-11T13:20:03.434Z",
"successful" : true
},
"last_successful_execution" : {
"timestamp" : "2019-10-11T13:20:03.434Z",
"successful" : true
}
}
},
"execution_state" : "executed",
"version" : 410
},
"trigger_event" : {
"type" : "manual",
"triggered_time" : "2019-10-11T13:20:03.434Z",
"manual" : {
"schedule" : {
"scheduled_time" : "2019-10-11T13:20:03.434Z"
}
}
},
"input" : {
"search" : {
"request" : {
"search_type" : "query_then_fetch",
"indices" : [
""
],
"rest_total_hits_as_int" : true,
"body" : {
"size" : 0,
"query" : {
"bool" : {
"filter" : {
"range" : {
"@timestamp" : {
"gte" : "{{ctx.trigger.scheduled_time}}||-5m",
"lte" : "{{ctx.trigger.scheduled_time}}",
"format" : "strict_date_optional_time||epoch_millis"
}
}
}
}
}
}
}
}
},
"condition" : {
"script" : {
"source" : "if (ctx.payload.hits.total > params.threshold) { return true; } return false;",
"lang" : "painless",
"params" : {
"threshold" : 200
}
}
},
"metadata" : {
"name" : "test",
"watcherui" : {
"trigger_interval_unit" : "m",
"agg_type" : "count",
"time_field" : "@timestamp",
"trigger_interval_size" : 1,
"term_size" : 5,
"time_window_unit" : "m",
"threshold_comparator" : ">",
"index" : [
"
"
],
"time_window_size" : 5,
"threshold" : 200
},
"xpack" : {
"type" : "threshold"
}
},
"result" : {
"execution_time" : "2019-10-11T13:20:03.434Z",
"execution_duration" : 442,
"input" : {
"type" : "search",
"status" : "success",
"payload" : {
"_shards" : {
"total" : 43,
"failed" : 0,
"successful" : 43,
"skipped" : 0
},
"hits" : {
"hits" : ,
"total" : 3606,
"max_score" : null
},
"took" : 424,
"timed_out" : false
},
"search" : {
"request" : {
"search_type" : "query_then_fetch",
"indices" : [
"*"
],
"rest_total_hits_as_int" : true,
"body" : {
"size" : 0,
"query" : {
"bool" : {
"filter" : {
"range" : {
"@timestamp" : {
"gte" : "2019-10-11T13:20:03.434255Z||-5m",
"lte" : "2019-10-11T13:20:03.434255Z",
"format" : "strict_date_optional_time||epoch_millis"
}
}
}
}
}
}
}
}
},
"condition" : {
"type" : "script",
"status" : "success",
"met" : true
},
"transform" : {
"type" : "script",
"status" : "success",
"payload" : {
"result" : 3606
}
},
"actions" : [
{
"id" : "webhook_1",
"type" : "webhook",
"status" : "success",
"webhook" : {
"request" : {
"host" : "outlook.office.com",
"port" : 80,
"scheme" : "http",
"method" : "post",
"path" : "webhook/PATH_GOES_HERE",
"body" : "{\r\n "@context": "https://schema.org/extensions",\r\n "@type": "MessageCard",\r\n "themeColor": "0072C6",\r\n "title": "Test Kibana ",\r\n "text": "Le test est positif",\r\n "actions": [\r\n {\r\n "@type": "HttpPOST",\r\n "name": "Send Feedback",\r\n "isPrimary": true,\r\n "target": "http://..."\r\n }\r\n ]\r\n }"
},
"response" : {
"status" : 301,
"headers" : {
"date" : [
"Fri, 11 Oct 2019 13:20:03 GMT"
],
"server" : [
"Microsoft-IIS/10.0"
],
"content-length" : [
"0"
],
"location" : [
"https://outlook.office.com:80/PATH_GOES_HERE""
],
"x-msedge-ref" : [
"Ref A: 33AF8E65F44D47D3A1DCF26F6319778B Ref B: PAR02EDGE0512 Ref C: 2019-10-11T13:20:03Z"
]
}
}
}
}
]
},
"messages" :
}
}

Hey,

please take the time to properly format your messages using markdown. This is super hard to read.

This is not a HTTP time out or a firewall error. The HTTP server actually returned a 301 response.

Which version are you running on? Can you update to the latest 7.4.0 version and try if that problem persists, a problem regarding URL encoding for the webhook has been fixed in that one.

--Alex

Hi,

I'm really sorry for the format.

I'm running it on the 7.3.1 version, I will upgrade it to the lastest 7.4.0 version and see if the problem persists, I keep you updated.

Thank you for your answer!

Lucas

Hi again,

I did upgrade to the lastest version but the problem persists, the http server return again a 301 response.

Lucas

try using https as protocol instead of http in order to prevent the redirect.

I tried and it didn't work, here is the response :

{
  "watch_id": "a0ed4715-0246-433d-981b-ee69b9370ffc",
  "node": "QUApyNq4S5GyhHF-CuNjfg",
  "state": "executed",
  "status": {
    "state": {
      "active": true,
      "timestamp": "2019-10-16T12:05:22.122Z"
    },
    "last_checked": "2019-10-16T12:07:06.608Z",
    "last_met_condition": "2019-10-16T12:07:06.608Z",
    "actions": {
      "webhook_1": {
        "ack": {
          "timestamp": "2019-10-16T12:05:22.122Z",
          "state": "awaits_successful_execution"
        },
        "last_execution": {
          "timestamp": "2019-10-16T12:07:06.608Z",
          "successful": false,
          "reason": ""
        }
      }
    },
    "execution_state": "executed",
    "version": -1
  },
  "trigger_event": {
    "type": "schedule",
    "triggered_time": "2019-10-16T12:07:06.608Z",
    "schedule": {
      "scheduled_time": "2019-10-16T12:07:06.535Z"
    }
  },
  "input": {
    "search": {
      "request": {
        "search_type": "query_then_fetch",
        "indices": [
          "*"
        ],
        "rest_total_hits_as_int": true,
        "body": {
          "size": 0,
          "query": {
            "bool": {
              "filter": {
                "range": {
                  "@timestamp": {
                    "gte": "{{ctx.trigger.scheduled_time}}||-5m",
                    "lte": "{{ctx.trigger.scheduled_time}}",
                    "format": "strict_date_optional_time||epoch_millis"
                  }
                }
              }
            }
          }
        }
      }
    }
  },
  "condition": {
    "script": {
      "source": "if (ctx.payload.hits.total > params.threshold) { return true; } return false;",
      "lang": "painless",
      "params": {
        "threshold": 200
      }
    }
  },
  "metadata": {
    "name": "test",
    "watcherui": {
      "trigger_interval_unit": "m",
      "agg_type": "count",
      "time_field": "@timestamp",
      "trigger_interval_size": 1,
      "term_size": 5,
      "time_window_unit": "m",
      "threshold_comparator": ">",
      "index": [
        "*"
      ],
      "time_window_size": 5,
      "threshold": 200
    },
    "xpack": {
      "type": "threshold"
    }
  },
  "result": {
    "execution_time": "2019-10-16T12:07:06.608Z",
    "execution_duration": 10687,
    "input": {
      "type": "search",
      "status": "success",
      "payload": {
        "_shards": {
          "total": 13,
          "failed": 0,
          "successful": 13,
          "skipped": 0
        },
        "hits": {
          "hits": [],
          "total": 3564,
          "max_score": null
        },
        "took": 638,
        "timed_out": false
      },
      "search": {
        "request": {
          "search_type": "query_then_fetch",
          "indices": [
            "*"
          ],
          "rest_total_hits_as_int": true,
          "body": {
            "size": 0,
            "query": {
              "bool": {
                "filter": {
                  "range": {
                    "@timestamp": {
                      "gte": "2019-10-16T12:07:06.535Z||-5m",
                      "lte": "2019-10-16T12:07:06.535Z",
                      "format": "strict_date_optional_time||epoch_millis"
                    }
                  }
                }
              }
            }
          }
        }
      }
    },
    "condition": {
      "type": "script",
      "status": "success",
      "met": true
    },
    "transform": {
      "type": "script",
      "status": "success",
      "payload": {
        "result": 3564
      }
    },
    "actions": [
      {
        "id": "webhook_1",
        "type": "webhook",
        "status": "failure",
        "error": {
          "root_cause": [
            {
              "type": "socket_timeout_exception",
              "reason": "Read timed out"
            }
          ],
          "type": "socket_timeout_exception",
          "reason": "Read timed out"
        }
      }
    ]
  },
  "messages": []
}

is it possible, that https cannot be reached from the node where elasticsearch is running, but HTTP works?

https can be reached from the node where elasticsearch is running