Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
    Ashish Singh
    @ashishkaransingh
    hey finally i used docker and was able to hit the url :)
    I figured out the default id password and i am in now
    I have installed elasticsearch on my vm but where/how do i configure elasticsearch with 411, i am afraid but i do not see the instructions in the document
    Kai
    @kiwiz
    There's a configuration section in the config.php file.
    Ashish Singh
    @ashishkaransingh
    ok i am going to look into it now
    Ashish Singh
    @ashishkaransingh
    Can we use it without logstash?
    Ashish Singh
    @ashishkaransingh
    I do not see Logstash under "Create > Type " Is this because i installed logstash on another server different from where elasticsearch is installed?
    Elasticsearch is installed on ubuntu (vm) and i have installed winlogbeat and logstash on my host machine and sending data from my host.
    please advise!
    dsvetlov
    @dsvetlov
    411 doesn't use logstash
    Logstash is just a name for source
    Ashish Singh
    @ashishkaransingh
    I see, beats will be using this but good to know that it is not dependent on Logstash. Thanks!
    Ashish Singh
    @ashishkaransingh
    I get invalid timezone when i select Asia/Calcutta while creating a new user! can someone please tell me why?
    Ashish Singh
    @ashishkaransingh
    instead of Asia/Calcutta Asia/Kolkata works.
    I have setup 411 and elk using docker. When i save user i get the following error:
    SQLSTATE[HY000]: General error: 8 attempt to write a readonly database
    Ashish Singh
    @ashishkaransingh

    this is an excerpt from docker compose for 411
    411_poc:
    image: kaiz/411:es6x
    networks:
    411_poc:
    ports:

      - 8080:80
    volumes:
      - /opt/411/411_data:/data:ro
    depends_on:
      - elasticsearch

    Where do i need to provide "write permission" ?

    Ashish Singh
    @ashishkaransingh
    do i need to open 411 container in interactive mode like this
    sudo docker exec -it 411_411_poc_1 /bin/bash
    which file do i need to target to change permission?
    am i on the right track
    Ashish Singh
    @ashishkaransingh
    image.png
    Kai
    @kiwiz
    411 needs write access to the /data directory. Try removing :ro from your volume definition.
    Ashish Singh
    @ashishkaransingh
    yes i tried that and then chmod took effect. Thanks!
    Ashish Singh
    @ashishkaransingh

    Hi,

    I have been playing and testing and it is really a useful tool.

    I successfully tested Result Type: "Fields" and it is working as expected.
    But my Result Type: "Count" is where i need some assistance.

    Ashish Singh
    @ashishkaransingh
    image.png

    Steps to recreate:

    I have Winlogbeat sending logs, which is getting stored in Elasticsearch.
    I want to alert based on count example: Messages containing keyword "shutdown"
    Minimum: 4
    Maximum: 8
    I do see i have logs containing keywords "shutdown" still when i test or execute it does not show any alert, why?

    My interpretation of "Result Filter" for Count, is it correct?

    At least = Minimum count
    At most = Maximum count

    Ashish Singh
    @ashishkaransingh
    it worked when i used :)
    At least = 4
    At most = 100
    I got the count 27
    Ashish Singh
    @ashishkaransingh
    No need to reply for the above question as i discovered how to run count based search.
    Ashish Singh
    @ashishkaransingh
    image.png

    A very important question:
    How would one tag/identify the count of messages by hosts.
    Example: Count 27 Host: XYZ_SERVER

    Currently i get the count which is fine but i do not know the name of the host/server, how to resolve this when you are collecting logs from multiple hosts.

    image.png
    Ashish Singh
    @ashishkaransingh
    Winlogbeat collects the host name
    I want to tag host name to the alerts, so we know the host a particular alert was triggered for.
    Ashish Singh
    @ashishkaransingh
    @kiwiz it is very important otherwise one would not know which host is having an issue.
    Ashish Singh
    @ashishkaransingh
    @kiwiz So basically i would need to group by term host.name.keyword in 411, how?
    Ashish Singh
    @ashishkaransingh
    image.png
    I tried adding a field host.name into Fields and it seems to be woorking.
    Ashish Singh
    @ashishkaransingh
    How can i use this for Count, as stated before?
    Example:
    Count 27 Host: XYZ_SERVER
    Count 14 Host: ABC_SERVER
    Count 20 Host: FGH_SERVER
    Kai
    @kiwiz
    @ashishkaransingh try using an aggregation.
    Ashish Singh
    @ashishkaransingh

    @kiwiz It is easy to do this using Kibana > Visualization but it would be interesting to know how to issue a query from the query box in 411, below does not work plus how can i use the group by on host.name?

    {
    "aggs" : {
    "log_event_count" : { "count" : { "field" : "log.level" } }
    }
    }

    it make sense.
    Ashish Singh
    @ashishkaransingh

    Here the example:
    Get a count of requests to abc.com bucketed by ip_addr.
    host:abc.com | agg:terms field:ip_addr

    How can i translate into what i am looking for?

    Ashish Singh
    @ashishkaransingh
    I basically want to do this using query in 411
    Select count(log.level=error) from Winlogbeat group by host
    Ashish Singh
    @ashishkaransingh
    So far i got this but its not working
    log.level:error|"aggs":"terms"|field:"host.hostname.keyword","size":10,"order":"_key":"desc","min_doc_count":1
    This brings no result either:
    log.level:error aggs:terms field:host.hostname.keyword
    Ashish Singh
    @ashishkaransingh
    Is this right? if yes then can i use this I took some help from https://github.com/etsy/411/blob/master/docs/ESQuery.md.
    Please advise.
    {
    "query": {
    "term": {
    "log.level": "error"
    }
    },
    "aggs": {
    "host.name": {
    "terms": {
    "field": "host.name"
    }
    }
    }
    }
    Kai
    @kiwiz
    You don't need to include most of the other fields
    log.level:error | agg:terms field:host.hostname.keyword size:10
    Ashish Singh
    @ashishkaransingh
    Sure I will try this as soon as I spin up my VM thank you so much!
    Ashish Singh
    @ashishkaransingh
    I used "Fields" and it works i will try with multiple hosts, great! Thank you!