What should i do to trigger a watch only when condition matches to a certain requirement

addanuj · May 6, 2018, 3:13pm

Hi

I am trying to create a watch which should alert our Team only when a certain condition matches,

For example: "whenever a Failed Login Attempt Detected"

RightNow it is sending me an email after each 1 hour with same ctx.paylod.hits.total as no failed login is made and /var/log/secure file has no updates, same time my index which is carrying out /var/log/secure logs is the same as I stopped trying failed attempts, but watcher still sending because it has a scheduled trigger of 1 hr. how can I make it trigger only when a certain condition matches like whenever someone tries to do login and gets failed then only it should send me an email, or whenever index gets updated then only I should get an update by email

{
"trigger": {
"schedule": {
"interval": "1h"
}
},
"input": {
"search": {
"request": {
"body": {
"size": 0,
"query": {
"match_phrase" : {
"message" : "Failed password for invalid user"
}

      }
    },
    "indices": [
      "*"
    ]
  }
}

},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1
}
}
},

"actions" : {
"gmail_account": {
"email": {
"profile": "standard",
"to": [
"testemail@gmail.com"
],
"subject": "ELK Alert: Failed logging attempts Detected !",
"body": {
"text" : "WARNING: There are {{ctx.payload.hits.total}} Failed logging attempts Detected in last 1 Hour. "
}
}
},
"my-logging-action": {
"logging": {
"text" : "WARNING: There are {{ctx.payload.hits.total}} Failed logging attempts Detected in last 1 Hour. "
}
}
}
}

Christian_Dahlqvist · May 6, 2018, 3:40pm

The watch will trigger once every hour, but you do not seem to have a range condition in your query to only search logs that came in the last X hours. The query therefore looks at ALL data, which might be why you are seeing an email being generated every time.

addanuj · May 6, 2018, 3:47pm

Hi Christian,

Thanks for your help...

Please explain or give me an example.

Christian_Dahlqvist · May 6, 2018, 4:42pm

Add a range query component to your query that filters out results older than when the watch last ran (you may want to add a bit extra margin).

addanuj · May 6, 2018, 4:49pm

i am not able to understand you. can you write a sample for my query,

i think i need to write compare condition when current count of "ctx.payload.hits.total" is gte than
Last "ctx.payload.hits.total" but dont know how to compare two "ctx.payload.hits.total" current one and last one.

Christian_Dahlqvist · May 7, 2018, 6:01am

You need to change you query to something like this:

"query": {
  "bool": {
    "must": {
      "match_phrase" : {
        "message" : "Failed password for invalid user"
      }
    },
    "filter": {
      "range" : {
        "@timestamp" : {
          "gte" : "now-1h"
        }
      }
    }
  }
}

This will prevent you from looking at ALL documents in the index every time, as only the documents with a @timestamp within the last hour are considered.

addanuj · May 9, 2018, 7:23pm

Thanks Christian, it works !!!! ,

Thank you soo much...

is this also possible to create instant alerting system using watches?

system · June 6, 2018, 7:23pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.