Alerting Open Distro - Aggregation

646 views

Skip to first unread message

Amy

unread,

Dec 1, 2022, 7:42:12 AM12/1/22

to Wazuh mailing list

I want to know how I can put the full log from the event in aggregation, because the full log is not a field. I know how I can put, for example, the agent.name, but full log, I don't know.

Example:

"aggregations": {

"agent": {

"terms": {

"field": "agent.name",

...........

Dario Menten

unread,

Dec 6, 2022, 11:10:40 AM12/6/22

to Wazuh mailing list

Hello Amy,
Thank you for posting in community.

In Alerting, you can use any queries to obtain the data to include in the messages, but in general we use a _search endpoint without aggregations. Then you can extract the data by using the mustache language: https://www.tsmean.com/articles/mustache/the-ultimate-mustache-tutorial/

Here you have a cheat sheet: https://gist.github.com/Dammmien/5f0bff8643cb931da7e9495f782aad0a

Here you have a query example for a rule.id but you can search by agent.name, or any other fields:

{
  "size": 10,
  "sort": { "timestamp": "desc"},
  "query": {
    "bool": {
      "must": [
        { "match": { "rule.id": "301000" }}
      ],
      "filter": [
        {
          "range": {
            "timestamp": {
              "gte": "now-1d",
              "lte": "now"
            }
          }
        }
      ]
    }
  }
}

It will give you 10 results ("size": 10) of the rule 301000.
Then in the message configuration you need to specify the mustache template to build the body of the message:

Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}
- Occurrences: {{ctx.results.0.hits.total.value}}

More Information

{{#ctx.results.0.hits.hits}}
- Agent: {{_source.agent.name}}
- Group: {{_source.agent.labels.wazuh.group}}
- Rule: {{_source.rule.id}}
- Full log: {{_source.full_log}}

{{/ctx.results.0.hits.hits}}

This will give something like this:

Monitor <MONITOR-NAME> just entered alert status. Please investigate the issue.
- Trigger: <TRIGGER-NAME>
- Severity: 3
- Period start: 2020-11-25T20:32:25.485Z
- Period end: 2020-11-25T20:33:25.485Z
- Occurrences: 3

More Information

- Agent: <AGENT1-NAME>
- Group: <AGENT1-LABEL>
- Rule: 301001
- Full log: <all the log>

- Agent: <AGENT2-NAME>
- Group: <AGENT2-LABEL>
- Rule: 301001
- Full log: <all the log>

- Agent: <AGENT3-NAME>
- Group: <AGENT3-LABEL>
- Rule: 301001
- Full log: <all the log>

I hope this information could be helpful.
You can learn more about the Alerting module here: https://opensearch.org/docs/1.2/monitoring-plugins/alerting/index/

Reply all

Reply to author

Forward

0 new messages