Alerting Aggregation
36 views
Skip to first unread message
Pulasthi Batuwita
Nov 20, 2024, 2:22:34 PMNov 20
to Wazuh | Mailing List
Hi,
I try to add some use full information to my alerts such as rule description and full log etc. But it does not show them in alert email. following is my query and "mustache message template". Appreciate team support on this
{
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-1h",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
},
{
"term": {
"decoder.name": {
"value": "fortigate-firewall-v5",
"boost": 1
}
}
},
{
"term": {
"rule.description": {
"value": "Fortigate: Login failed.",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"aggregations": {
"terms_agg": {
"terms": {
"field": "data.msg",
"size": 10,
"min_doc_count": 1,
"shard_min_doc_count": 0,
"show_term_doc_count_error": false,
"order": [
{
"_count": "desc"
},
{
"_key": "asc"
}
]
}
}
}
}
"size": 0,
"query": {
"bool": {
"filter": [
{
"range": {
"@timestamp": {
"from": "{{period_end}}||-1h",
"to": "{{period_end}}",
"include_lower": true,
"include_upper": true,
"format": "epoch_millis",
"boost": 1
}
}
},
{
"term": {
"decoder.name": {
"value": "fortigate-firewall-v5",
"boost": 1
}
}
},
{
"term": {
"rule.description": {
"value": "Fortigate: Login failed.",
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"aggregations": {
"terms_agg": {
"terms": {
"field": "data.msg",
"size": 10,
"min_doc_count": 1,
"shard_min_doc_count": 0,
"show_term_doc_count_error": false,
"order": [
{
"_count": "desc"
},
{
"_key": "asc"
}
]
}
}
}
}
Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}
- Occurrences: {{ctx.results.0.hits.total.value}}
{{#ctx.results.0.hits.hits}}
- Rule: {{_source.rule.description}}
{{/ctx.results.0.hits.hits}}
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}
- Occurrences: {{ctx.results.0.hits.total.value}}
{{#ctx.results.0.hits.hits}}
- Rule: {{_source.rule.description}}
{{/ctx.results.0.hits.hits}}
Gonzalo Acuña
Nov 21, 2024, 8:22:15 AMNov 21
to Wazuh | Mailing List
Hi.
Can you give me more context, please?
Can you give me more context, please?
1. What documentation are you following?
2. What is the alert you are receiving in your email?
3. What additional configuration have you made for the alert notifications?
Regards.
Gonzalo.
Regards.
Gonzalo.
Pulasthi Batuwita
Dec 2, 2024, 3:30:39 PMDec 2
to Wazuh | Mailing List
Hi,
Can you give me more context, please?
1. What documentation are you following?
2. What is the alert you are receiving in your email?
Agent has disconnected. Monitor Agent Disconnection just entered alert status. Agent with ID: went offline in Wazuh. - Trigger: Agent Disconnected - Severity: 3 - Period start: 2024-12-02T19:39:58.076Z - Period end: 2024-12-02T19:49:58.076Z
3. What additional configuration have you made for the alert notifications?
Try to put Agent IP and rule description
Gonzalo Acuña
Dec 18, 2024, 7:21:35 AM (8 days ago) Dec 18
to Wazuh | Mailing List
Hi.
I will try to reproduce it and will get back to you.
Regards.
Gonzalo.
I will try to reproduce it and will get back to you.
Regards.
Gonzalo.
Gonzalo Acuña
Dec 18, 2024, 9:32:39 AM (8 days ago) Dec 18
to Wazuh | Mailing List
Hi.
I have tested with this query:
"{
"size": 2,
"query": {
"bool": {
"must": [
{
"match": {
"rule.id": {
"query": "502",
"operator": "OR",
"prefix_length": 0,
"max_expansions": 50,
"fuzzy_transpositions": true,
"lenient": false,
"zero_terms_query": "NONE",
"auto_generate_synonyms_phrase_query": true,
"boost": 1
}
}
}
],
"filter": [
{
"range": {
"timestamp": {
"from": "now-1d",
"to": "now",
"include_lower": true,
"include_upper": true,
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
"sort": [
{
"timestamp": {
"order": "desc"
}
}
]
}"
And the mustache message template you shared:
"Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}
- Occurrences: {{ctx.results.0.hits.total.value}}
{{#ctx.results.0.hits.hits}}
- Rule: {{_source.rule.description}}
{{/ctx.results.0.hits.hits}}"
In the "Preview message" section of the Alerting Monitor configuration I see the correct message:
"Monitor test just entered alert status. Please investigate the issue.
- Trigger: test
- Severity: 1
- Period start: 2024-12-18T14:18:46Z
- Period end: 2024-12-18T14:19:46Z
- Occurrences: 6
- Rule: Wazuh server started.
- Rule: Wazuh server started."
Also, the notification that I receive is correct:
"Monitor test just entered alert status. Please investigate the issue.
- Trigger: test
- Severity: 1
- Period start: 2024-12-18T14:18:33.006Z
- Period end: 2024-12-18T14:19:33.006Z
- Occurrences: 6
More Information
- Rule description: Wazuh server started.
- Rule description: Wazuh server started."
I see that the message you are getting does not match with the mustache template, not even the harcoded string part of the message. Do you have another alert/monitor configured that can be sending that notification?
I have tested with this query:
"{
"size": 2,
"query": {
"bool": {
"must": [
{
"match": {
"rule.id": {
"query": "502",
"operator": "OR",
"prefix_length": 0,
"max_expansions": 50,
"fuzzy_transpositions": true,
"lenient": false,
"zero_terms_query": "NONE",
"auto_generate_synonyms_phrase_query": true,
"boost": 1
}
}
}
],
"filter": [
{
"range": {
"timestamp": {
"from": "now-1d",
"to": "now",
"include_lower": true,
"include_upper": true,
"boost": 1
}
}
}
],
"adjust_pure_negative": true,
"boost": 1
}
},
{
"timestamp": {
"order": "desc"
}
}
]
}"
And the mustache message template you shared:
"Monitor {{ctx.monitor.name}} just entered alert status. Please investigate the issue.
- Trigger: {{ctx.trigger.name}}
- Severity: {{ctx.trigger.severity}}
- Period start: {{ctx.periodStart}}
- Period end: {{ctx.periodEnd}}
- Occurrences: {{ctx.results.0.hits.total.value}}
{{#ctx.results.0.hits.hits}}
- Rule: {{_source.rule.description}}
{{/ctx.results.0.hits.hits}}"
"Monitor test just entered alert status. Please investigate the issue.
- Trigger: test
- Severity: 1
- Period start: 2024-12-18T14:18:46Z
- Period end: 2024-12-18T14:19:46Z
- Occurrences: 6
- Rule: Wazuh server started.
- Rule: Wazuh server started."
Also, the notification that I receive is correct:
"Monitor test just entered alert status. Please investigate the issue.
- Trigger: test
- Severity: 1
- Period start: 2024-12-18T14:18:33.006Z
- Period end: 2024-12-18T14:19:33.006Z
- Occurrences: 6
More Information
- Rule description: Wazuh server started.
- Rule description: Wazuh server started."
I see that the message you are getting does not match with the mustache template, not even the harcoded string part of the message. Do you have another alert/monitor configured that can be sending that notification?
Reply all
Reply to author
Forward
0 new messages