目的
- 通過引用變量的方式,在watcher 郵件通知中添加觸發警告的相關信息,以便收到郵件後能快速定位問題。
示例
-
環境:CentOS Linux release 7.7.1908 (Core)、[Elasticsearch Watcher 2.4]、[Elasticsearch Reference 7.6]、[Kibana Guide 7.6]
-
以auditbeat 登錄審計爲例,演示引用變量的方法
-
登錄kibana,使用Dev Tools控制檯搜索"login"審計記錄
GET auditbeat-7.6.2-2020.06.16-000002/_search?pretty
{
"query": {
"match": {"event.dataset": "login"
}
}
}
- 執行返回的結果如下:
{
"took" : 11,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 147, #=> 搜索到147條匹配記錄
"relation" : "eq"
},
"max_score" : 4.7221236,
"hits" : [ #=> 此爲hits.hits列表
{ #=> 這裏是hits.hits列表的第0位元素開始位置
"_index" : "auditbeat-7.6.2-2020.06.16-000002",
"_type" : "_doc",
"_id" : "35Dnv3IBAriavZt1-aOf",
"_score" : 4.7221236,
"_source" : { #=> "_source" 包含了匹配記錄的源信息,
#=> 其在hits.hits列表的0位元素裏
"@timestamp" : "2020-06-17T01:32:24.965Z",
"source" : { #=> _source裏的字典類型字段,可通過.操作符獲取
"ip" : "192.168.0.62"
},
"service" : { #=> _source字段
"type" : "system"
},
"user" : { #=> _source字段
"terminal" : "pts/0",
"name" : "root",
"id" : 0
},
"ecs" : {
"version" : "1.4.0"
},
"event" : { #=> _source字段
"action" : "user_login",
"origin" : "/var/log/wtmp",
"category" : "authentication",
"outcome" : "success",
"type" : "authentication_success",
"module" : "system",
"dataset" : "login",
"kind" : "event"
},
"message" : "Login by user root (UID: 0) on pts/0 (PID: 20728) from 192.168.0.62 (IP: 192.168.0.62)", #=> _source字段
"process" : {
"pid" : 20728
},
"host" : { #=> _source字段
"os" : {
"codename" : "Core",
"platform" : "centos",
"version" : "7 (Core)",
"family" : "redhat",
"name" : "CentOS Linux",
"kernel" : "3.10.0-1062.18.1.el7.x86_64"
},
"id" : "7623ac2580824c6c8d35ead472e38f61",
"containerized" : false,
"hostname" : "php-srv3",
"architecture" : "x86_64",
"name" : "php-srv3"
},
"agent" : { #=> _source字段
"hostname" : "php-srv3",
"id" : "539e4abc-52f3-494b-8bd7-aabd420fceb8",
"version" : "7.6.2",
"type" : "auditbeat",
"ephemeral_id" : "95cb20b1-8bd9-4f97-810d-d81aa8da6d74"
}
}
},
#=> ...[略]...
-
在watcher action中,email body使用變量的方法
-
如果要調用所有匹配的信息,則使用:ctx.payload.hits
-
如果要獲取自己想要的信息,可以通過對"_source"的相關字段進行過濾,並獲取其值
-
由於
_source在hits.hits.0裏,所以調用方式爲:ctx.payload.hits.hits.0._source -
_source中的message:ctx.payload.hits.hits.0._source.message -
_source中agent的hostname:ctx.payload.hits.hits.0._source.agent.hostname -
_source中source的ip:ctx.payload.hits.hits.0._source.source.ip
-
-
-
watcher Json 的完整配置信息
{
"trigger": {
"schedule": {
"interval": "1m"
} # 觸發檢測頻率,每分鐘執行一次
},
"input": { # 輸入文件
"search": {
"request": {
"search_type": "query_then_fetch",
"indices": [ # 索引,支持通配符
"auditbeat-*"
],
"rest_total_hits_as_int": true,
"body": {
"_source": { # 對body中的_source字段進行篩選
"includes": [ # 包含以下字段
"event",
"message",
"host",
"user",
"source"
] # , excludes [...] 排除某些字段
},
"query": {
"bool": {
"must": [
{
"match": {
"event.dataset": "login" # 搜索匹配值
}
},
{
"range": {
"@timestamp": { # @當前時間2分鐘內
"gte": "now-2m",
"lte": "now"
}
}
}
]
}
}
}
}
}
},
"condition": {
"compare": {
"ctx.payload.hits.total": {
"gte": 1 # 有1次或1次以上匹配成功,則觸發actions動作
}
}
},
"actions": {
"send_email": {
"email": {
"profile": "standard",
"to": [
"[email protected]"
], # 郵件標題和body都使用變量獲取相關信息
"subject": "{{ctx.payload.hits.hits.0._source.source.ip}} login/logout {{ctx.payload.hits.hits.0._source.host.name}} {{ctx.payload.hits.total}} times in last 1min",
"body": {
"text": "{{ctx.metadata.msg}}{{ctx.payload.hits.hits.0._source.message}}"
}
}
}
},
"metadata": {
"msg": "EVENT: "
}
}
- 收到的郵件效果(這只是簡單的文本顯示,如果需要更加酷炫的效果,可以把郵件模板設置html格式):
![]()
