Page 1 of 1
Query for specific string in message field
Posted: Wed Jan 13, 2016 7:02 pm
by krobertson71
I have a Linux admin who is looking for specific strings in the message field. He wants an unique alert per example below.
Examples:
COMMAND=/bin/su
COMMAND=/bin/su -
COMMAND=/bin/su root
etc...
I have tried this a few ways. My last attempt with lucene was "Message:"Command=/bin/su -". Problem is it returns everything that comes after the "-" as well. Like "COMMAND=/bin/su - userid".
Is there a way to tell it to only look for this string and nothing else? Do I need to change this to a regex pattern? I have not done regex searches with NLS (Kibana) yet.
Re: Query for specific string in message field
Posted: Thu Jan 14, 2016 11:43 am
by jolson
He wants an unique alert per example below
There are a few ways to approach the alert problem, first of all. The question comes down to: how many alerts (and therefore distinct queries) do you want to make?
If the volume of this type of log is low, I suggest making a single query for all of your commands - you would attach this to a single alert running once every ~2 minutes for example. If your volume is high, you might want to make many queries and therefore many alerts. The reasoning behind making many queries and many alerts is that the information you receive back would be more distinct.
Which approach would you like to take?
Re: Query for specific string in message field
Posted: Thu Jan 14, 2016 3:38 pm
by krobertson71
Here is the Lucene query I have now that is populating a dashboard: user is just where I scrubbed out id's and service accounts.. Assume they are unique.
Code: Select all
message:"COMMAND=/bin/su"~ -"user" -"user" -"user" -"user" -"user"
This allows me to grab all /bin/su and filter out other noise. This left only about 22 results for a 7 day period. But, I want a query that does not have to be monitored for changes to the exclusions.
So.. one query may be just fine so lets take that approach..
Here is the full list I was given to search for. Remember they are asking for unique emails for each, but I think they may be happy with summary email if we can exclude all but the conditions listed below:
Also they put these as "Sudo this and that". The Syslog pattern puts the Sudo part in the program field. In the message its COMMAND=/bin/su - or COMMAND=/bin/su or COMMAND=/bin/su root.. for example.
Also ignore the brackets for the last two. They are just saying give me an alert if one of my admins try to sudo su to that user. So those would be 3 event conditions each.
Code: Select all
sudo su
sudo su -
sudo su root
sudo su - root
su
su -
su root
su - root
sudo su [admin1|admin2|admin3]
sudo su - [admin1|admin2|admin3]
Re: Query for specific string in message field
Posted: Fri Jan 15, 2016 2:31 pm
by jolson
The answer to this question is actually rather complicated unfortunately - I think it would be best if we set up a remote session so that I could meet your requirements on a live session. The complication is due to the way that elasticsearch treats spaces when doing a search. Lucene allows spaces to be escaped using '\', and does not allow 'begins with' or 'ends with' operators. The regular expression library doesn't allow spaces in any way that I could find. I think that we could come up with a working solution in a remote session given some time to see and manipulate the data live. Could you send a ticket to
[email protected] please? I'll pick up your ticket and we can get a remote started.
Jesse
Re: Query for specific string in message field
Posted: Fri Jan 15, 2016 3:01 pm
by krobertson71
I will do that. Just give me a day our two. Being pulled into some other stuff at the moment. Oh how nice it would be to be able to focus on just one or two things.....
Re: Query for specific string in message field
Posted: Fri Jan 15, 2016 3:04 pm
by jolson
No worries, I'll wait for your email. Thanks!