The alerting feature notifies you when data from one or more Elasticsearch indices meets certain conditions. The alerting feature notifies you when data from one or more Elasticsearch indices meets certain conditions.
Key Terms | Definition |
---|---|
Monitor | A job that runs on a defined schedule and queries Elasticsearch. The results of these queries are then used as input for one or more triggers. |
Trigger | Conditions that, if met, generate alerts and can perform some action. |
Alert | A notification that a monitor's trigger condition has been met. |
Action | The information that you want the monitor to send out after being triggered. Actions have a destination, a message subject, and a message body. |
Destination | A reusable location for an action, such as Amazon Chime, Slack, or a webhook URL. |
Login to Kibana as admin user, go to the Alerting tab, and click on Create Monitor.
Give the monitor a name and the Schedule of when you want it to run.
I named my monitor Audit Unauthorized Access Events , and set it to run Every 1 minute.
On the same page, scroll down to the Define Monitor section; this is where you define which index you want to monitor and an extraction condition for the data you will use to set a trigger for alerts. Set the index to security-auditlog-*, the destination for the security plugin's audit logs. Define the monitor condition as WHEN count() OVER all documents FOR THE LAST 5 minute(s), WHERE audit_category is FAILED_LOGIN
Click on the Create button at the bottom to create your monitor.
Next, you need to create a trigger for this monitor. A trigger allows you to perform an action when the trigger's condition on the monitor is met. I'll create a trigger which sends an alert when my monitor query returns one or more results. Set the Trigger name to Unauthorized Access Events on ES Cluster , Severity level to 1, and Trigger condition to Above 5:
Scroll down and click Create.
Open the Monitor. You'll see the History Panel showing the status. Open another in-cognito mode browser window and simulate failed login attempts. Within 1 minute – you will see the Alert being generated and Monitor will enter triggered state. You can Acknowledge alert. After 5 mins have passed the Monitor status will go Green again.