Hello,
I'm ingesting my Windows logs via WinlogBeat. I want to receive an e-mail when winlog.event_id is equal to either 17, 34, 130, 21. The e-mail should contain the event.code, agent.name, time and the raw event message.
I created an advanced Watcher rule. The rule triggers when the event happens. It sends the e-mail, but the fields for event.code, agent.name and message are empty.
I'm not a programmer, but if someone has an example of how to create an alert and send an e-mail with hostname , event codes & raw message, that would be very helpful.
Or shows me what I'm missing.
Thank You !
Here is my code;
{
"trigger": {
"schedule": {
"interval": "5m"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"winlog*"
],
"rest_total_hits_as_int": true,
"body": {
"size": 0,
"query": {
"bool": {
"must": [
{
"terms": {
"winlog.event_id": [
"17",
"34",
"130",
"21"
]
}
}
],
"filter": {
"range": {
"@timestamp": {
"gte": "now-5m"
}
}
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"exchange_account": {
"throttle_period_in_millis": 900000,
"email": {
"profile": "outlook",
"from": "Elastic_Watcher_Alert@srpmic-nsn.gov",
"to": [
"example@abc.com"
],
"cc": [
"xyz@abc.com"
],
"subject": "PKI - CRL issue : Event ID 17 or 21 or 34 or 130 ",
"body": {
"html": "Found event matching a potential CRL issue <br> Event ID {{event.code}} <br> on host {{agent.name}} <br> Message is: <br> {{message}} <br> There are {{ctx.payload.hits.total}} hits <br> Time of execution is {{ctx.execution_time}}"
}
}
}
}
}