Watcher time filter problem

zokratez · November 16, 2015, 3:26pm

I have a watcher checking if somebody is making ssh bruteforce... I run the Hydra to generate some logs... and the watcher find it and send me emails correctly. The problem is that it's never stop sending me emails... So I read this post: How do I setup watcher to only alert on new messages? and change my query, but the error persist...

Here is my watcher snippet:

curl -XPUT 'http://localhost:9200/_watcher/watch/ssh_bruteforce' -d '{
  "trigger" : {
    "schedule" : { "interval" : "30s" } 
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "logstash-*" ],
        "body" : {
          "query" : {
            "filtered" : {
              "query" : {"match" : {"message": "*Too many authentication failures*"}},
              "filter": {
                "bool": {
                  "must": [
                    {
                      "range": {
                        "@timestamp": {
                          "gte": "now-60s"
                        }
                      }
                    }
                  ]
                }
              }
            }
          }
        }
      }
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
  },
  "actions" : {
    "email_administrator" : {
      "throttle_period": "30s", 
      "email" : { 
        "to" : "email@gmail.com",
        "subject" : "[Watcher]Posible ataque de fuerza bruta a SSH",
        "body" : "Demasiados intentos fallidos para por SSH.",
        "attach_data" : true,
        "priority" : "high"
      }
    }
  }
}'

The time filter is not working... The watcher send me an email each 30 seconds...

Thanks!

warkolm · November 17, 2015, 9:15am

Pretty sure "throttle_period" shouldn't be under the "actions" section, eg https://www.elastic.co/guide/en/watcher/current/watching-marvel-data.html#watching-cluster-health

zokratez · November 17, 2015, 12:38pm

Thanks for the reply! I change this line place, but the problem is the filter... Is finding hits from 2 days ago, and I need 5 minutes ago...

       "query" : {
            "filtered" : {
              "query" : {"match" : {"message": "*Too many authentication failures*"}},
              "filter": {
                "bool": {
                  "must": [
                    {
                      "range": {
                        "@timestamp": {
                          "gte": "now-60s"
                        }
                      }
                    }
                  ]
                }
              }
            }
          }

What's the correct way to filter only newest hits for specific event?

Thanks!

zokratez · November 17, 2015, 4:40pm

I find out that the problem is the filter.

"query" : {"match" : {"message": "*Too many authentication failures*"}},

This is'nt finding the literal string with wildcards, is finding any word in the string... Match for authentication, or failures, or many.... However, in the kibana that search work fine...

zokratez · November 20, 2015, 12:12pm

I solved changing the "match" by "match_phrase" and now, the search is exact.

Thanks!

sthurlow · January 1, 2016, 5:36am

I spent 5 hours trying to get this working, thanks for posting your answer - solved it for me immediately.