Hello everyone!
I set up a watcher to alert on me Slack if any failed login attempt was made on any of my servers every 20 seconds for the past 20 seconds, as follows
{
"trigger": {
"schedule": {
"interval": "20s"
}
},
"input": {
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [
"auditbeat-*"
],
"rest_total_hits_as_int": true,
"body": {
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-20s",
"lte": "now"
}
}
}
],
"must": {
"match": [
{
"message": "Failed login by"
}
]
}
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gt": 0
}
}
},
"actions": {
"notify-slack": {
"slack": {
"message": {
"text": "!!intruder alert!! {{#toJson}}ctx.payload{{/toJson}} "
}
}
}
}
}
The alert would trigger perfectly on the first failed attempt, but would become extremely unreliable afterwards, to the point of not triggering anymore.
Could anyone please help me out with the above?
Also, ctx.payload will dump all of the query up my face, and i couldn't find anywhere any document saying to extract certain field of it.
i.e:
What I am getting:
!!intruder alert!! {"_shards":{"total":1,"failed":0,"successful":1,"skipped":0},"hits":{"hits":[{"_index":"auditbeat-7.4.0-2019.10.31-000001","_type":"_doc","_source":{"process":{"pid":6725},"agent":{"hostname":"","name":"","id":"","type":"auditbeat","ephemeral_id":"","version":"7.4.0"},"@timestamp":"2019-11-03T14:10:18.000Z","ecs":{"version":"1.1.0"},"service":{"type":"system"},"host":{"hostname":"","os":{"kernel":"4.18.0-80.7.1.el8_0.x86_64","codename":"Core","name":"CentOS Linux","family":"redhat","version":"8 (Core)","platform":"centos"},"containerized":false,"name":"","id":"d9d5dba3f82c42d1b9a983b4dd1ae701","architecture":"x86_64"},"source":{"ip":"*******"},"event":{"kind":"event","origin":"/var/log/btmp","module":"system","action":"user_login","category":"authentication","type":"authentication_failure","dataset":"login","outcome":"failure"},"message":"Failed login by user root (UID: 0) on ssh:notty (PID: 6725) from ******* (IP: *******)","user":{"name":"root","id":0,"terminal":"ssh:notty"}},"_id":"8UuZMW4BOf42KXSOjKgf","_score":21.54823}],"total":1,"max_score":21.54823},"took":2,"timed_out":false}
What I want to get :
!!intruder alert!! {{:message:}} on {{:hostname:}}