I have a watcher checking if somebody is making ssh bruteforce... I run the Hydra to generate some logs... and the watcher find it and send me emails correctly. The problem is that it's never stop sending me emails... So I read this post: How do I setup watcher to only alert on new messages? and change my query, but the error persist...
Here is my watcher snippet:
curl -XPUT 'http://localhost:9200/_watcher/watch/ssh_bruteforce' -d '{
"trigger" : {
"schedule" : { "interval" : "30s" }
},
"input" : {
"search" : {
"request" : {
"indices" : [ "logstash-*" ],
"body" : {
"query" : {
"filtered" : {
"query" : {"match" : {"message": "*Too many authentication failures*"}},
"filter": {
"bool": {
"must": [
{
"range": {
"@timestamp": {
"gte": "now-60s"
}
}
}
]
}
}
}
}
}
}
}
},
"condition" : {
"compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
},
"actions" : {
"email_administrator" : {
"throttle_period": "30s",
"email" : {
"to" : "email@gmail.com",
"subject" : "[Watcher]Posible ataque de fuerza bruta a SSH",
"body" : "Demasiados intentos fallidos para por SSH.",
"attach_data" : true,
"priority" : "high"
}
}
}
}'
The time filter is not working... The watcher send me an email each 30 seconds...
Thanks!