Alerting Aggregation
14 views
Skip to first unread message
Pulasthi Batuwita
Nov 20, 2024, 2:22:34 PM (yesterday) Nov 20
to Wazuh | Mailing List
Hi,
I try to add some use full information to my alerts such as rule description and full log etc. But it does not show them in alert email. following is my query and "mustache message template". Appreciate team support on this
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-1h",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
},
{
"term": {
"decoder.name": {
"value": "fortigate-firewall-v5",
"boost": 1
}
}
},
{
"term": {
"rule.description": {
"value": "Fortigate: Login failed.",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"aggregations": {
"terms_agg": {
"terms": {
"field": "data.msg",
"size": 10,
"min_doc_count": 1,
"shard_min_doc_count": 0,
"show_term_doc_count_error": false,
"order": [
{
"_count": "desc"
},
{
"_key": "asc"
}
]
}
}
}
}
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-1h",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
},
{
"term": {
"decoder.name": {
"value": "fortigate-firewall-v5",
"boost": 1
}
}
},
{
"term": {
"rule.description": {
"value": "Fortigate: Login failed.",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"aggregations": {
"terms_agg": {
"terms": {
"field": "data.msg",
"size": 10,
"min_doc_count": 1,
"shard_min_doc_count": 0,
"show_term_doc_count_error": false,
"order": [
{
"_count": "desc"
},
{
"_key": "asc"
}
]
}
}
}
}
Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}
- Occurrences: {{ctx.results.0.hits.total.value}}
{{#ctx.results.0.hits.hits}}
- Rule: {{_source.rule.description}}
{{/ctx.results.0.hits.hits}}
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}
- Occurrences: {{ctx.results.0.hits.total.value}}
{{#ctx.results.0.hits.hits}}
- Rule: {{_source.rule.description}}
{{/ctx.results.0.hits.hits}}
Gonzalo Acuña
8:22 AM (7 hours ago) 8:22 AM
to Wazuh | Mailing List
Hi.
Can you give me more context, please?
Can you give me more context, please?
1. What documentation are you following?
2. What is the alert you are receiving in your email?
3. What additional configuration have you made for the alert notifications?
Regards.
Gonzalo.
Regards.
Gonzalo.
Reply all
Reply to author
Forward
0 new messages