Watcher time filter problem

alerting

(Julian Somoza) #1

I have a watcher checking if somebody is making ssh bruteforce... I run the Hydra to generate some logs... and the watcher find it and send me emails correctly. The problem is that it's never stop sending me emails... So I read this post: How do I setup watcher to only alert on new messages? and change my query, but the error persist...

Here is my watcher snippet:

curl -XPUT 'http://localhost:9200/_watcher/watch/ssh_bruteforce' -d '{
  "trigger" : {
    "schedule" : { "interval" : "30s" } 
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "logstash-*" ],
        "body" : {
          "query" : {
            "filtered" : {
              "query" : {"match" : {"message": "*Too many authentication failures*"}},
              "filter": {
                "bool": {
                  "must": [
                    {
                      "range": {
                        "@timestamp": {
                          "gte": "now-60s"
                        }
                      }
                    }
                  ]
                }
              }
            }
          }
        }
      }
    }
  },
  "condition" : {
    "compare" : { "ctx.payload.hits.total" : { "gt" : 0 }}
  },
  "actions" : {
    "email_administrator" : {
      "throttle_period": "30s", 
      "email" : { 
        "to" : "email@gmail.com",
        "subject" : "[Watcher]Posible ataque de fuerza bruta a SSH",
        "body" : "Demasiados intentos fallidos para por SSH.",
        "attach_data" : true,
        "priority" : "high"
      }
    }
  }
}'

The time filter is not working... The watcher send me an email each 30 seconds...

Thanks!


(Mark Walkom) #2

Pretty sure "throttle_period" shouldn't be under the "actions" section, eg https://www.elastic.co/guide/en/watcher/current/watching-marvel-data.html#watching-cluster-health


(Julian Somoza) #3

Thanks for the reply! I change this line place, but the problem is the filter... Is finding hits from 2 days ago, and I need 5 minutes ago...

       "query" : {
            "filtered" : {
              "query" : {"match" : {"message": "*Too many authentication failures*"}},
              "filter": {
                "bool": {
                  "must": [
                    {
                      "range": {
                        "@timestamp": {
                          "gte": "now-60s"
                        }
                      }
                    }
                  ]
                }
              }
            }
          }

What's the correct way to filter only newest hits for specific event?

Thanks!


(Julian Somoza) #4

I find out that the problem is the filter.

"query" : {"match" : {"message": "*Too many authentication failures*"}},

This is'nt finding the literal string with wildcards, is finding any word in the string... Match for authentication, or failures, or many.... However, in the kibana that search work fine...


(Julian Somoza) #5

I solved changing the "match" by "match_phrase" and now, the search is exact.

Thanks!


(Symon Thurlow) #6

I spent 5 hours trying to get this working, thanks for posting your answer - solved it for me immediately.


(system) #7