Per document monitor does not support filebeat data stream?

Plugins Alerting
1

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):
2.9

target: per document monitor on filebeat data stream to capture SSH event to send out email

issue: no filebeat data stream / index shown on index selection

no_index
no_index1339Ă—638 80.4 KB

as not succeed in UI, tried to use API POST _plugins/_alerting/monitors

api2
api2700Ă—285 34.4 KB

checked json format ok and seems related index not found issue
from internet, any thing related to permission? cross cluster index?
for permission, it should be ok as that is admin account
and there is only one cluster
thanks for any hints

2

Hi @igs-employee ,

From the above, you’re using Filebeat to send logs to Opensearch and from these logs you would like to create an alert on each ssh attempt and for it to prompt an email as a result.

Lets. first figure out a few questions:

  • are these ssh events being monitored and is Filebeats sending them to Opensearch?
  • Can you see and send a sample of these events?
  • Which index are these events being sent to?
  • Are you querying the index which contains these logs in the per document monitor you’re trying to create?

Let me know when you validated and tested the above. You can also send on any sample information to show your validations,

Leeroy.

3

filebeat → opensearch → data stream filebeat-8.18.2 → .ds-filebeat-8.18.2-000025 (index from data stream)

filebeat_sameple1
filebeat_sameple1426Ă—729 53.3 KB

trying to query such log in per document monitor

4

filebeat_sameple2
filebeat_sameple2820Ă—698 64.3 KB

full document

1st pic in 1st post shows filebeat related index not shown in “select index”

5

Hi, Can you share the body of POST _plugins/_alerting/monitors ?

6

POST _plugins/_alerting/monitors
{
“type”: “monitor”,
“name”: “test_monitor”,
“monitor_type”: “doc_level_monitor”,
“enabled”: true,
“schedule”: {
“period”: {
“interval”: 1,
“unit”: “MINUTES”
}
},
“inputs”: [
{
“doc_level_input”: {
“indices”: [“filebeat-*”],
“queries”: [
{
“id”: “q1”,
“name”: “test_query”,
“query”: {
“match_all”: {}
}
}
]
}
}
],
“triggers”:
}

7

Trigger is mandatory for per document monitor, can you try to add a simple trigger

8

Hey @igs-employee ,

I done some testing on the version you’re running and I did find a workaround you can use to do it via the UI.

Although it is a workaround and I do recommend you log an issue for a feature request to be added. - GitHub · Where software is built

  1. Go to Notifications and add a channel required for your alert (this is the trigger @MHR is referring to)
  2. Next through the UI you can create a monitor like before, I suggest testing first with a field that will stay the same. i.e event.action = ssh_login.

To get the workaround working encompass the index with wildcards and ignore the warning.

Screenshot from 2025-07-18 16-37-28
Screenshot from 2025-07-18 16-37-28480Ă—270 9.78 KB

Then when you’ve filled out everything, save the alert and then force some ssh logs. The monitor will work and you will be prompted alerts without having to create via the API.

Hopefully this helps,

Leeroy.

1 Like
9

POST _plugins/_alerting/monitors
{
“type”: “monitor”,
“name”: “test_monitor”,
“monitor_type”: “doc_level_monitor”,
“enabled”: true,
“schedule”: {
“period”: {
“interval”: 1,
“unit”: “MINUTES”
}
},
“inputs”: [
{
“doc_level_input”: {
“indices”: [“filebeat-*”],
“queries”: [
{
“id”: “q1”,
“name”: “test_query”,
“query”: {
“match_all”: {}
}
}
]
}
}
],
“triggers”: [ { “document_level_trigger”: {
“name”: “test-trigger”,
“severity”: “1”,
“condition”: {
“script”: {
“source”: “(query[name=sigma-123] || query[tag=tag3]) && query[name=sigma-789]”,
“lang”: “painless”
}
},
“actions”: [
{
“name”: “test-action”,
“destination_id”: “E4o5hnsB6KjPKmHtpfCA”,
“message_template”: {
“source”: “”“Monitor just entered alert status. Please investigate the issue. Related Finding Ids: {{ctx.alerts.0.finding_ids}}, Related Document Ids: {{ctx.alerts.0.related_doc_ids}}”“”,
“lang”: “mustache”
},
“action_execution_policy”: {
“action_execution_scope”: {
“per_alert”: {
“actionable_alerts”:
}
}
},
“subject_template”: {
“source”: “The Subject”,
“lang”: “mustache”
}
}
]
}}]
}

{
“error”: {
“root_cause”: [
{
“type”: “alerting_exception”,
“reason”: “Can’t get text on a START_OBJECT at 20:22”
}
],
“type”: “alerting_exception”,
“reason”: “Can’t get text on a START_OBJECT at 20:22”,
“caused_by”: {
“type”: “exception”,
“reason”: “java.lang.IllegalStateException: Can’t get text on a START_OBJECT at 20:22”
}
},
“status”: 500
}

10

version difference?
in my page, that is “select data”.
while your page “Data source”

11

What exact version are you using? You said 2.9? did you test it either way?

12

testing on 2.9.2

13

@igs-employee is it 2.9.2 or 2.19.2?

14

so sorry, my bad
double checked 2.19.2
keep entering 2.9…

15

finally it works. thanks

1 Like
16

That’s great news! no worries on the version. Glad it is working for you now!

17

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.