Using ELK and watcher to set up alerts

Hi there,

Setting up ELK (Elasticsearch, Logstash and Kibana) is real easy (Follow the guide here It is also perfect to use at home to collect logs and to get visibility of your home network. If you also install xpack you will get a function called “watcher”. This is to be able to alert on certain events. When I set this up in a lab recently I found out that it was not that easy to get started so I decided I should share what I found out.

First of all, in the lab I had a Palo Alto producing logs. What I wanted to do was to alert if someone tried to log on to it and produced a failed login. In Palo Alto this is reported under the “VirtualSystem” and the category “auth-fail”. More information about the fields can be found here:
. So basically I had to put up a watcher to alert if auth-fail was sent from the Palo Alto device.

After you have parsed out the information from the Palo Alto logs using logstash and put them in elasticsearch this is what the field would look like in Kibana:


So to simply match on this using a watcher, this is what you can do using the development tools in the Kibana GUI (If you are using xpack). If not, then you can use the local API over command line:

Once this triggers, you will have an entry with the logging text “WARNING PALO ALTO LOGIN ATTEMPT” in the log for elasticsearch located at /var/log/elasticsearch/elasticsearch.log on CentOS 7.

NOTE! Make sure that you point it to the correct index. By default if you do not change it your index will be logstash-, but as I have created an index for the palo alto logs specifically, the row below could be different for you depending on where you put your data.

More information can be found here:
watcher reference at elastico
The official forum is also a good way to start if you run into issues:
elastico forum

Leave a Reply

Your email address will not be published. Required fields are marked *