v 2.6.0
I am looking to use bucket aggregations to alert on Entitlement changes in SQL server audit logs.
I have the query built and returning correct logs in discover, but when I try to create a bucket aggregation, I am unable to get the “message” text included in the Extraction query response. The end goal would be to include ALL of the message text in the Extraction query response so I can include the text in a trigger.
Configuration:
The query I am using is looking for:
“match_phrase”: {
“message”: “statement:ALTER SERVER ROLE”
}
I am then nesting my aggregations on individual host.names.
“aggregations”: {
“serverNames”: {
“terms”: {
“field”: “host.hostname.keyword”,
“size”: 10,
“min_doc_count”: 1,
“shard_min_doc_count”: 0,
“show_term_doc_count_error”: false,
“order”: [
{
“_count”: “desc”
},
{
“_key”: “asc”
}
]
},
“aggregations”: {
“serverMessage”: {
“terms”: {
“field”: “message.keyword”,
“size”: 100,
“min_doc_count”: 1,
“shard_min_doc_count”: 0,
“show_term_doc_count_error”: false,
“order”: [
{
“_count”: “desc”
},
{
“_key”: “asc”
}
]
The only thing that isn’t working is getting the FULL TEXT from the message term into the Extraction query response. I have tried to use significant_text, but that just seems to return random junk from the log.
Relevant Logs or Screenshots: