Kibana Watcher query for searching text

Question

I am looking for pointers to create a Kibana watcher where I want to look at my logs and I want to send an alert if I see the text "Security Alert" in my logs more than 10 times within any 30 mins period.

I am referring to this article https://www.elastic.co/guide/en/kibana/current/watcher-ui.html#watcher-create-threshold-alert

It's not clear in the doc how I can 1> read through and filter and parse the string 2> how to set up counts for the same.

Answer 1

For this requirement you should use the advanced watchers over the more simple (and less powerful) threshold watchers. In the Kibana-Watcher UI you can choose between both types.

See https://www.elastic.co/guide/en/kibana/current/watcher-ui.html#watcher-create-advanced-watch for an introduction and https://www.elastic.co/guide/en/elasticsearch/reference/current/how-watcher-works.html for the syntax and the overal behaviour of advanced watchers.

So based on the requirements you described in your question, heres how you would implement the watcher (conceptually in a nutshell):

• the 30 minutes would be the trigger interval.

• The input section has to be an appropiate elasticsearch query where you match the "Security Alert" text

• the condition would be like "numberOfHits gte 10". So the watcher gets triggered every 30 mins but only when the condition is met, the actions will be executed.

• in the actions section you would need to choose between the available options (log, mail, slack messages etc.). If you want to send mails, then you need to setup mail accounts first.

I hope I could help you.