Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- kibana.yml
- server.host: localhost
- server.name: ELK
- elasticsearch.url: http://localhost:9200
- elasticsearch.pingTimeout: 1500
- elasticsearch.requestTimeout: 30000
- i18n.defaultLocale: en
- logging.dest: /var/log/kibana/kibana.log
- logging.verbose: false
- sentinl:
- es:
- host: localhost
- port: 9200
- timefield: '@timestamp'
- default_index: watcher
- type: sentinl-watcher
- alarm_index: watcher_alarms
- alarm_type: sentinl-alarm
- script_type: sentinl-script
- sentinl:
- history: 20
- results: 50
- scriptResults: 50
- settings:
- email:
- active: true
- user: 'somemail@mail.com'
- password: 'mail_password'
- host: 'smtp.mail.com'
- ssl: false
- timeout: 10000 # mail server connection timeout
- slack:
- active: true
- username: 'user.user'
- hook: 'https://hooks.slack.com/services/xoxp-0000000000000-0000000000000000-0000000000000-000000000000000000000'
- channel: '#alarm'
- webhook:
- active: false
- method: POST
- host: host
- port: 9200
- path: ':/{{payload.watcher_id}}'
- body: '{{payload.watcher_id}}{payload.hits.total}}'
- # report:
- # active: true
- #tmp_path: /tmp/
- #search_guard: false
- #simple_authentication: true
- pushapps:
- active: false
- api_key: '<pushapps API Key>'
- Watcher input
- {
- "search": {
- "request": {
- "index": [
- "<syslog_ter-*>"
- ],
- "body": {
- "version": true,
- "size": 500,
- "sort": [
- {
- "@timestamp": {
- "order": "desc",
- "unmapped_type": "boolean"
- }
- }
- ],
- "query": {
- "bool": {
- "must": [
- {
- "query_string": {
- "query": "'HAVE NOT'",
- "analyze_wildcard": true
- }
- },
- {
- "range": {
- "@timestamp": {
- "gte": 1523548910558,
- "lte": 1523549810560,
- "format": "epoch_millis"
- }
- }
- },
- {
- "range": {
- "@timestamp": {
- "from": "now-1h"
- }
- }
- }
- ],
- "must_not": []
- }
- },
- "_source": {
- "excludes": []
- },
- "aggs": {
- "2": {
- "date_histogram": {
- "field": "@timestamp",
- "interval": "30s",
- "time_zone": "Europe/Helsinki",
- "min_doc_count": 1
- }
- }
- },
- "stored_fields": [
- "*"
- ],
- "script_fields": {},
- "docvalue_fields": [
- "@timestamp"
- ],
- "highlight": {
- "pre_tags": [
- "@kibana-highlighted-field@"
- ],
- "post_tags": [
- "@/kibana-highlighted-field@"
- ],
- "fields": {
- "*": {
- "highlight_query": {
- "bool": {
- "must": [
- {
- "query_string": {
- "query": "'HAVE NOT'",
- "analyze_wildcard": true,
- "all_fields": true
- }
- },
- {
- "range": {
- "@timestamp": {
- "gte": 1523548910558,
- "lte": 1523549810560,
- "format": "epoch_millis"
- }
- }
- }
- ],
- "must_not": []
- }
- }
- }
- },
- "fragment_size": 2147483647
- }
- }
- }
- }
- }
- Watcher condition
- {
- "script": {
- "script": "payload.hits.total > 200"
- }
- }
- Watcher RAW
- {
- "_index": "watcher",
- "_type": "sentinl-watcher",
- "_id": "AWK6pya-v9t5dLavUKLf",
- "_version": 2,
- "found": true,
- "_source": {
- "title": "have not",
- "disable": false,
- "report": false,
- "trigger": {
- "schedule": {
- "later": "every 5 mins"
- }
- },
- "input": {
- "search": {
- "request": {
- "index": [
- "<syslog-*>"
- ],
- "body": {
- "version": true,
- "size": 500,
- "sort": [
- {
- "@timestamp": {
- "order": "desc",
- "unmapped_type": "boolean"
- }
- }
- ],
- "query": {
- "bool": {
- "must": [
- {
- "query_string": {
- "query": "'HAVE NOT'",
- "analyze_wildcard": true
- }
- },
- {
- "range": {
- "@timestamp": {
- "gte": 1523548910558,
- "lte": 1523549810560,
- "format": "epoch_millis"
- }
- }
- },
- {
- "range": {
- "@timestamp": {
- "from": "now-1h"
- }
- }
- }
- ],
- "must_not": []
- }
- },
- "_source": {
- "excludes": []
- },
- "aggs": {
- "2": {
- "date_histogram": {
- "field": "@timestamp",
- "interval": "30s",
- "time_zone": "Europe/Helsinki",
- "min_doc_count": 1
- }
- }
- },
- "stored_fields": [
- "*"
- ],
- "script_fields": {},
- "docvalue_fields": [
- "@timestamp"
- ],
- "highlight": {
- "pre_tags": [
- "@kibana-highlighted-field@"
- ],
- "post_tags": [
- "@/kibana-highlighted-field@"
- ],
- "fields": {
- "*": {
- "highlight_query": {
- "bool": {
- "must": [
- {
- "query_string": {
- "query": "'HAVE NOT'",
- "analyze_wildcard": true,
- "all_fields": true
- }
- },
- {
- "range": {
- "@timestamp": {
- "gte": 1523548910558,
- "lte": 1523549810560,
- "format": "epoch_millis"
- }
- }
- }
- ],
- "must_not": []
- }
- }
- }
- },
- "fragment_size": 2147483647
- }
- }
- }
- }
- },
- "condition": {
- "script": {
- "script": "payload.hits.total > 200"
- }
- },
- "actions": {
- "email_admin": {
- "throttle_period": "0h15m0s",
- "email": {
- "to": "alarm@localhost",
- "from": "sentinl@localhost",
- "subject": "Sentinl Alarm",
- "priority": "high",
- "body": "Found {{payload.hits.total}} Events"
- }
- },
- "New slack action have not": {
- "throttle_period": "0h0m0s",
- "slack": {
- "channel": "#alarm",
- "message": "Write a message",
- "stateless": false
- }
- }
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement