我正在elastalert中设置警报,因此每当用户使用sudo失败时都会收到警报。但是我写的任何规则都没有任何匹配,我也不知道我做错了什么。我尝试了多个黑名单和频率规则,但没有使它们起作用,也没有使用不同的索引,字符串和过滤器。这是我目前使用的规则。
规则yaml文件
es_host: elasticsearch
es_port: 9200
name: failed_sudo_warning
index: "*:logstash-beats-*"
type: frequency
num_events: 1
timeframe:
minutes: 5
use_count_query: true
doc_type: 'doc'
filter:
- query:
query_string:
#query: "message: a"
query: "message: user NOT in sudoers"
alert:
- debug
日志文件中的消息字段:
May 16 19:58:20 Cl-Ub sudo: virtlabsiem : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/virtlabsiem ; USER=root ; COMMAND=/usr/bin/vim
索引字段:
- *:logstash-beats-*
- *:logstash-*
具有索引字段:logstash-beats-:
的弹性测试输出Please enter the file path and rule name you want to test.
/etc/elastalert/rules/failed_sudo_warning.yaml
The results can be rather long. Would you like to write the results to a file? (Y/N)
N
Successfully loaded failed_sudo_warning
INFO:elastalert:Queried rule failed_sudo_warning from 2019-05-16 18:33 UTC to 2019-05-16 18:34 UTC: 0 hits
INFO:elastalert:Queried rule failed_sudo_warning from 2019-05-16 18:34 UTC to 2019-05-16 18:35 UTC: 0 hits
INFO:elastalert:Queried rule failed_sudo_warning from 2019-05-16 18:35 UTC to 2019-05-16 18:36 UTC: 0 hits
INFO:elastalert:Queried rule failed_sudo_warning from 2019-05-16 18:36 UTC to 2019-05-16 18:37 UTC: 0 hits
INFO:elastalert:Queried rule failed_sudo_warning from 2019-05-16 18:37 UTC to 2019-05-16 18:38 UTC: 0 hits
INFO:elastalert:Queried rule failed_sudo_warning from 2019-05-16 18:38 UTC to 2019-05-16 18:38 UTC: 0 hits
Would have written the following documents to writeback index (default is elastalert_status):
elastalert_status - {'hits': 0, 'matches': 0, '@timestamp': datetime.datetime(2019, 5, 16, 18, 38, 4, 319317, tzinfo=tzutc()), 'rule_name': 'failed_sudo_warning', 'starttime': datetime.datetime(2019, 5, 16, 18, 33, 1, 284936, tzinfo=tzutc()), 'endtime': datetime.datetime(2019, 5, 16, 18, 38, 4, 284936, tzinfo=tzutc()), 'time_taken': 0.029651165008544922}
Complete!
具有索引字段:logstash-:
的弹性测试输出Successfully loaded failed_sudo_warning
INFO:elastalert:Queried rule failed_sudo_warning from 2019-05-16 18:33 UTC to 2019-05-16 18:34 UTC: 24 hits
INFO:elastalert:Queried rule failed_sudo_warning from 2019-05-16 18:34 UTC to 2019-05-16 18:35 UTC: 36 hits
INFO:elastalert:Queried rule failed_sudo_warning from 2019-05-16 18:35 UTC to 2019-05-16 18:36 UTC: 20 hits
INFO:elastalert:Queried rule failed_sudo_warning from 2019-05-16 18:36 UTC to 2019-05-16 18:37 UTC: 29 hits
INFO:elastalert:Queried rule failed_sudo_warning from 2019-05-16 18:37 UTC to 2019-05-16 18:38 UTC: 79 hits
INFO:elastalert:Queried rule failed_sudo_warning from 2019-05-16 18:38 UTC to 2019-05-16 18:38 UTC: 0 hits
INFO:elastalert:Alert for failed_sudo_warning at 2019-05-16T18:34:53.757004Z:
INFO:elastalert:failed_sudo_warning
At least 1 events occurred between 2019-05-16 18:29 UTC and 2019-05-16 18:34 UTC
@timestamp: 2019-05-16T18:34:53.757004Z
num_hits: 188
num_matches: 5
INFO:elastalert:Ignoring match for silenced rule failed_sudo_warning
INFO:elastalert:Ignoring match for silenced rule failed_sudo_warning
INFO:elastalert:Ignoring match for silenced rule failed_sudo_warning
INFO:elastalert:Ignoring match for silenced rule failed_sudo_warning
Would have written the following documents to writeback index (default is elastalert_status):
silence - {'rule_name': 'failed_sudo_warning', '@timestamp': datetime.datetime(2019, 5, 16, 18, 38, 56, 865075, tzinfo=tzutc()), 'exponent': 0, 'until': datetime.datetime(2019, 5, 16, 18, 39, 56, 865067, tzinfo=tzutc())}
elastalert_status - {'hits': 188, 'matches': 5, '@timestamp': datetime.datetime(2019, 5, 16, 18, 38, 56, 866752, tzinfo=tzutc()), 'rule_name': 'failed_sudo_warning', 'starttime': datetime.datetime(2019, 5, 16, 18, 33, 53, 757004, tzinfo=tzutc()), 'endtime': datetime.datetime(2019, 5, 16, 18, 38, 56, 757004, tzinfo=tzutc()), 'time_taken': 0.10465812683105469}
Complete!
我希望我需要使用beats索引,而不仅仅是logstash索引,因为日志已发送到该索引。如果我打开logstash-beats索引,我会在其中看到日志,但它们也会出现在logstash-index中。希望有人可以帮助我。