Documents Level Monitor without findings

kpfeffer · March 16, 2023, 7:04pm

Opensearch: 2.6.0
Opensearch-Dashboards: 2.6.0

Hi Everyone,

trying to get Document Level Alerting for our ECS based Logs running. Unfortunately i never get any findings even for the most simple queries (Extraction or Gui Based Monitor).

Using the Query on the _search API is working fine.

{
    "description": "Monitor Failed Logins to Switches",
    "queries": [
        {
            "id": "failed_logon_events",
            "name": "failed_logon_events",
            "query": "event.outcome:\"failure\"",
            "tags": [
                "failed_logon"
            ]
        }
    ]
}

Tried this on 3 Fresh Installations and always the same outcome. Index is using ECS Mappings if this is relevant.

with best regards,
Kevin

Some Logs from DEBUG Output of *.alerting

[2023-03-16T19:05:45,995][DEBUG][o.o.a.u.DocLevelMonitorQueries] [ntsv25] Node in traverse: {domain={type=keyword, ignore_above=1024}, email={type=keyword, ignore_above=1024}, full_name={type=keyword, ignore_above=1024, fields={text={type=text, norms=false}}}, group={properties={domain={type=keyword, ignore_above=1024}, id={type=keyword, ignore_above=1024}, name={type=keyword, ignore_above=1024}}}, hash={type=keyword, ignore_above=1024}, id={type=keyword, ignore_above=1024}, name={type=keyword, ignore_above=1024, fields={text={type=text, norms=false}}}, roles={type=keyword, ignore_above=1024}}
[2023-03-16T19:05:45,995][DEBUG][o.o.a.u.DocLevelMonitorQueries] [ntsv25] Node in traverse: {domain={type=keyword, ignore_above=1024}, id={type=keyword, ignore_above=1024}, name={type=keyword, ignore_above=1024}}
[2023-03-16T19:05:45,995][DEBUG][o.o.a.u.DocLevelMonitorQueries] [ntsv25] Node in traverse: {domain={type=keyword, ignore_above=1024}, email={type=keyword, ignore_above=1024}, full_name={type=keyword, ignore_above=1024, fields={text={type=text, norms=false}}}, group={properties={domain={type=keyword, ignore_above=1024}, id={type=keyword, ignore_above=1024}, name={type=keyword, ignore_above=1024}}}, hash={type=keyword, ignore_above=1024}, id={type=keyword, ignore_above=1024}, name={type=keyword, ignore_above=1024, fields={text={type=text, norms=false}}}, roles={type=keyword, ignore_above=1024}}
[2023-03-16T19:05:45,995][DEBUG][o.o.a.u.DocLevelMonitorQueries] [ntsv25] Node in traverse: {domain={type=keyword, ignore_above=1024}, id={type=keyword, ignore_above=1024}, name={type=keyword, ignore_above=1024}}
[2023-03-16T19:05:45,995][DEBUG][o.o.a.u.DocLevelMonitorQueries] [ntsv25] Node in traverse: {domain={type=keyword, ignore_above=1024}, id={type=keyword, ignore_above=1024}, name={type=keyword, ignore_above=1024}}
[2023-03-16T19:05:45,995][DEBUG][o.o.a.u.DocLevelMonitorQueries] [ntsv25] Node in traverse: {domain={type=keyword, ignore_above=1024}, email={type=keyword, ignore_above=1024}, full_name={type=keyword, ignore_above=1024, fields={text={type=text, norms=false}}}, group={properties={domain={type=keyword, ignore_above=1024}, id={type=keyword, ignore_above=1024}, name={type=keyword, ignore_above=1024}}}, hash={type=keyword, ignore_above=1024}, id={type=keyword, ignore_above=1024}, name={type=keyword, ignore_above=1024, fields={text={type=text, norms=false}}}, roles={type=keyword, ignore_above=1024}}
[2023-03-16T19:05:45,995][DEBUG][o.o.a.u.DocLevelMonitorQueries] [ntsv25] Node in traverse: {domain={type=keyword, ignore_above=1024}, id={type=keyword, ignore_above=1024}, name={type=keyword, ignore_above=1024}}
[2023-03-16T19:05:45,996][DEBUG][o.o.a.u.DocLevelMonitorQueries] [ntsv25] Node in traverse: {device={properties={name={type=keyword, ignore_above=1024}}}, name={type=keyword, ignore_above=1024}, original={type=keyword, ignore_above=1024, fields={text={type=text, norms=false}}}, os={properties={family={type=keyword, ignore_above=1024}, full={type=keyword, ignore_above=1024, fields={text={type=text, norms=false}}}, kernel={type=keyword, ignore_above=1024}, name={type=keyword, ignore_above=1024, fields={text={type=text, norms=false}}}, platform={type=keyword, ignore_above=1024}, type={type=keyword, ignore_above=1024}, version={type=keyword, ignore_above=1024}}}, version={type=keyword, ignore_above=1024}}
[2023-03-16T19:05:45,996][DEBUG][o.o.a.u.DocLevelMonitorQueries] [ntsv25] Node in traverse: {name={type=keyword, ignore_above=1024}}
[2023-03-16T19:05:45,996][DEBUG][o.o.a.u.DocLevelMonitorQueries] [ntsv25] Node in traverse: {family={type=keyword, ignore_above=1024}, full={type=keyword, ignore_above=1024, fields={text={type=text, norms=false}}}, kernel={type=keyword, ignore_above=1024}, name={type=keyword, ignore_above=1024, fields={text={type=text, norms=false}}}, platform={type=keyword, ignore_above=1024}, type={type=keyword, ignore_above=1024}, version={type=keyword, ignore_above=1024}}
[2023-03-16T19:05:45,996][DEBUG][o.o.a.u.DocLevelMonitorQueries] [ntsv25] Node in traverse: {category={type=keyword, ignore_above=1024}, classification={type=keyword, ignore_above=1024}, description={type=keyword, ignore_above=1024, fields={text={type=text, norms=false}}}, enumeration={type=keyword, ignore_above=1024}, id={type=keyword, ignore_above=1024}, reference={type=keyword, ignore_above=1024}, report_id={type=keyword, ignore_above=1024}, scanner={properties={vendor={type=keyword, ignore_above=1024}}}, score={properties={base={type=float}, environmental={type=float}, temporal={type=float}, version={type=keyword, ignore_above=1024}}}, severity={type=keyword, ignore_above=1024}}
[2023-03-16T19:05:45,996][DEBUG][o.o.a.u.DocLevelMonitorQueries] [ntsv25] Node in traverse: {vendor={type=keyword, ignore_above=1024}}
[2023-03-16T19:05:45,996][DEBUG][o.o.a.u.DocLevelMonitorQueries] [ntsv25] Node in traverse: {base={type=float}, environmental={type=float}, temporal={type=float}, version={type=keyword, ignore_above=1024}}
[2023-03-16T19:05:46,169][DEBUG][o.o.a.c.JobSweeper       ] [ntsv25] Not a valid job type in document AEGZ64YBZlLLy0xXiVIG-metadata to sweep.
[2023-03-16T19:05:46,178][DEBUG][o.o.a.MonitorMetadataService] [ntsv25] Successfully upserted MonitorMetadata:AEGZ64YBZlLLy0xXiVIG-metadata

pdz · March 28, 2023, 12:07am

Can you please share your monitor JSON ?

kpfeffer · March 29, 2023, 11:52am

{
   "name": "Failed Switch Logons",
   "type": "monitor",
   "monitor_type": "doc_level_monitor",
   "enabled": true,
   "schedule": {
      "period": {
         "unit": "MINUTES",
         "interval": 1
      }
   },
   "inputs": [
      {
         "doc_level_input": {
            "description": "Monitor Failed Logins to Switches",
            "indices": [
               "ecs-logstash-switch-*"
            ],
            "queries": [
               {
                  "id": "failed_logon_events",
                  "name": "failed_logon_events",
                  "query": "event.outcome:\"failure\"",
                  "tags": [
                     "failed_logon"
                  ]
               }
            ]
         }
      }
   ],
   "triggers": [
      {
         "document_level_trigger": {
            "id": "cUGZ64YBZlLLy0xXiFEq",
            "name": "trigger-failed-logon",
            "severity": "2",
            "condition": {
               "script": {
                  "source": "query[tag=failed_logon]",
                  "lang": "painless"
               }
            },
            "actions": []
         }
      }
   ],
   "ui_metadata": {
      "schedule": {
         "timezone": null,
         "frequency": "interval",
         "period": {
            "unit": "MINUTES",
            "interval": 15
         },
         "daily": 0,
         "weekly": {
            "tue": false,
            "wed": false,
            "thur": false,
            "sat": false,
            "fri": false,
            "mon": false,
            "sun": false
         },
         "monthly": {
            "type": "day",
            "day": 1
         },
         "cronExpression": "0 */1 * * *"
      },
      "monitor_type": "doc_level_monitor",
      "doc_level_input": {
         "queries": [
            {
               "id": "failed_logon_events",
               "queryName": "failed_logon_events",
               "field": "event.outcome",
               "operator": "==",
               "query": "failure",
               "tags": [
                  "failed_logon"
               ]
            }
         ]
      },
      "search": {
         "searchType": "query"
      }
   }
}

And an example document:

{
  "_index": "ecs-logstash-switch-2023.13",
  "_id": "8BEtLYcBZlLLy0xXLGKe",
  "_version": 1,
  "_score": null,
  "_source": {
    "timestamp_source": "Mar 29 13:42:29",
    "message": "invalid user name/password on ssh session user 'dasklj' is trying to login from 172.x.x.x",
      "user": [
        "dasklj"
      ]
    },
    "@version": "1",
    "log": {
      "syslog": {
        "appname": "auth",
        "severity": {
          "code": 4,
          "name": "warning"
        },
        "hostname": "172.x.x.x",
        "facility": {
          "code": 1,
          "name": "user-level"
        }
      }
    },
    "type": "syslog",
    "tags": [
      "procurve",
      "syslog",
      "syslog_rfc3164",
      "_geoip_lookup_failure"
    ],
    "time_elapsed_logstash": -1.311482807,
    "timestamp_logstash": "2023-03-29T11:42:27.688517193Z",
    "procurve": {
      "management_module": "ST1-CMDR",
      "management_protocol": "SSH"
    },
    "user": {
      "name": "dasklj",
      "hash": "6288addb0e25baeb49f24ea317d91c16d92ef9be"
    },
    "@timestamp": "2023-03-29T11:42:29.000Z",
    "event": {
      "code": "00419",
      "action": "logon-failed",
      "category": "authentication",
      "provider": "auth",
      "outcome": "failure",
      "kind": "event"
    }
  },
  "fields": {
    "@timestamp": [
      "2023-03-29T11:42:29.000Z"
    ]
  }
}

system · May 28, 2023, 11:52am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Failed to start Document-level-monitor: Inconsistency of field data structures across documents for field Security Analytics	4	673	May 28, 2023
Error message for orphaned monitor OpenSearch	2	266	May 3, 2023
Monitor Alerting Query OpenSearch configure	1	154	February 7, 2024
Indexing the results of an Alerting Monitor OpenSearch alerting	0	303	December 19, 2022
Alert notifications per document returned? Alerting discuss	1	368	July 27, 2022

Documents Level Monitor without findings

Related topics