Advertisement
denis_malko

Untitled

Apr 13th, 2018
130
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 8.02 KB | None | 0 0
  1. kibana.yml
  2.  
  3. server.host: localhost
  4. server.name: ELK
  5. elasticsearch.url: http://localhost:9200
  6. elasticsearch.pingTimeout: 1500
  7. elasticsearch.requestTimeout: 30000
  8. i18n.defaultLocale: en
  9. logging.dest: /var/log/kibana/kibana.log
  10. logging.verbose: false
  11.  
  12. sentinl:
  13. es:
  14. host: localhost
  15. port: 9200
  16. timefield: '@timestamp'
  17. default_index: watcher
  18. type: sentinl-watcher
  19. alarm_index: watcher_alarms
  20. alarm_type: sentinl-alarm
  21. script_type: sentinl-script
  22. sentinl:
  23. history: 20
  24. results: 50
  25. scriptResults: 50
  26. settings:
  27. email:
  28. active: true
  29. user: 'somemail@mail.com'
  30. password: 'mail_password'
  31. host: 'smtp.mail.com'
  32. ssl: false
  33. timeout: 10000 # mail server connection timeout
  34. slack:
  35. active: true
  36. username: 'user.user'
  37. hook: 'https://hooks.slack.com/services/xoxp-0000000000000-0000000000000000-0000000000000-000000000000000000000'
  38. channel: '#alarm'
  39. webhook:
  40. active: false
  41. method: POST
  42. host: host
  43. port: 9200
  44. path: ':/{{payload.watcher_id}}'
  45. body: '{{payload.watcher_id}}{payload.hits.total}}'
  46. # report:
  47. # active: true
  48. #tmp_path: /tmp/
  49. #search_guard: false
  50. #simple_authentication: true
  51. pushapps:
  52. active: false
  53. api_key: '<pushapps API Key>'
  54.  
  55. Watcher input
  56.  
  57. {
  58. "search": {
  59. "request": {
  60. "index": [
  61. "<syslog_ter-*>"
  62. ],
  63. "body": {
  64. "version": true,
  65. "size": 500,
  66. "sort": [
  67. {
  68. "@timestamp": {
  69. "order": "desc",
  70. "unmapped_type": "boolean"
  71. }
  72. }
  73. ],
  74. "query": {
  75. "bool": {
  76. "must": [
  77. {
  78. "query_string": {
  79. "query": "'HAVE NOT'",
  80. "analyze_wildcard": true
  81. }
  82. },
  83. {
  84. "range": {
  85. "@timestamp": {
  86. "gte": 1523548910558,
  87. "lte": 1523549810560,
  88. "format": "epoch_millis"
  89. }
  90. }
  91. },
  92. {
  93. "range": {
  94. "@timestamp": {
  95. "from": "now-1h"
  96. }
  97. }
  98. }
  99. ],
  100. "must_not": []
  101. }
  102. },
  103. "_source": {
  104. "excludes": []
  105. },
  106. "aggs": {
  107. "2": {
  108. "date_histogram": {
  109. "field": "@timestamp",
  110. "interval": "30s",
  111. "time_zone": "Europe/Helsinki",
  112. "min_doc_count": 1
  113. }
  114. }
  115. },
  116. "stored_fields": [
  117. "*"
  118. ],
  119. "script_fields": {},
  120. "docvalue_fields": [
  121. "@timestamp"
  122. ],
  123. "highlight": {
  124. "pre_tags": [
  125. "@kibana-highlighted-field@"
  126. ],
  127. "post_tags": [
  128. "@/kibana-highlighted-field@"
  129. ],
  130. "fields": {
  131. "*": {
  132. "highlight_query": {
  133. "bool": {
  134. "must": [
  135. {
  136. "query_string": {
  137. "query": "'HAVE NOT'",
  138. "analyze_wildcard": true,
  139. "all_fields": true
  140. }
  141. },
  142. {
  143. "range": {
  144. "@timestamp": {
  145. "gte": 1523548910558,
  146. "lte": 1523549810560,
  147. "format": "epoch_millis"
  148. }
  149. }
  150. }
  151. ],
  152. "must_not": []
  153. }
  154. }
  155. }
  156. },
  157. "fragment_size": 2147483647
  158. }
  159. }
  160. }
  161. }
  162. }
  163.  
  164.  
  165. Watcher condition
  166. {
  167. "script": {
  168. "script": "payload.hits.total > 200"
  169. }
  170. }
  171.  
  172. Watcher RAW
  173.  
  174.  
  175. {
  176. "_index": "watcher",
  177. "_type": "sentinl-watcher",
  178. "_id": "AWK6pya-v9t5dLavUKLf",
  179. "_version": 2,
  180. "found": true,
  181. "_source": {
  182. "title": "have not",
  183. "disable": false,
  184. "report": false,
  185. "trigger": {
  186. "schedule": {
  187. "later": "every 5 mins"
  188. }
  189. },
  190. "input": {
  191. "search": {
  192. "request": {
  193. "index": [
  194. "<syslog-*>"
  195. ],
  196. "body": {
  197. "version": true,
  198. "size": 500,
  199. "sort": [
  200. {
  201. "@timestamp": {
  202. "order": "desc",
  203. "unmapped_type": "boolean"
  204. }
  205. }
  206. ],
  207. "query": {
  208. "bool": {
  209. "must": [
  210. {
  211. "query_string": {
  212. "query": "'HAVE NOT'",
  213. "analyze_wildcard": true
  214. }
  215. },
  216. {
  217. "range": {
  218. "@timestamp": {
  219. "gte": 1523548910558,
  220. "lte": 1523549810560,
  221. "format": "epoch_millis"
  222. }
  223. }
  224. },
  225. {
  226. "range": {
  227. "@timestamp": {
  228. "from": "now-1h"
  229. }
  230. }
  231. }
  232. ],
  233. "must_not": []
  234. }
  235. },
  236. "_source": {
  237. "excludes": []
  238. },
  239. "aggs": {
  240. "2": {
  241. "date_histogram": {
  242. "field": "@timestamp",
  243. "interval": "30s",
  244. "time_zone": "Europe/Helsinki",
  245. "min_doc_count": 1
  246. }
  247. }
  248. },
  249. "stored_fields": [
  250. "*"
  251. ],
  252. "script_fields": {},
  253. "docvalue_fields": [
  254. "@timestamp"
  255. ],
  256. "highlight": {
  257. "pre_tags": [
  258. "@kibana-highlighted-field@"
  259. ],
  260. "post_tags": [
  261. "@/kibana-highlighted-field@"
  262. ],
  263. "fields": {
  264. "*": {
  265. "highlight_query": {
  266. "bool": {
  267. "must": [
  268. {
  269. "query_string": {
  270. "query": "'HAVE NOT'",
  271. "analyze_wildcard": true,
  272. "all_fields": true
  273. }
  274. },
  275. {
  276. "range": {
  277. "@timestamp": {
  278. "gte": 1523548910558,
  279. "lte": 1523549810560,
  280. "format": "epoch_millis"
  281. }
  282. }
  283. }
  284. ],
  285. "must_not": []
  286. }
  287. }
  288. }
  289. },
  290. "fragment_size": 2147483647
  291. }
  292. }
  293. }
  294. }
  295. },
  296. "condition": {
  297. "script": {
  298. "script": "payload.hits.total > 200"
  299. }
  300. },
  301. "actions": {
  302. "email_admin": {
  303. "throttle_period": "0h15m0s",
  304. "email": {
  305. "to": "alarm@localhost",
  306. "from": "sentinl@localhost",
  307. "subject": "Sentinl Alarm",
  308. "priority": "high",
  309. "body": "Found {{payload.hits.total}} Events"
  310. }
  311. },
  312. "New slack action have not": {
  313. "throttle_period": "0h0m0s",
  314. "slack": {
  315. "channel": "#alarm",
  316. "message": "Write a message",
  317. "stateless": false
  318. }
  319. }
  320. }
  321. }
  322. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement