DEVHIDE
Login Or Sign up

Elastalert rule for different messages

678 Views Asked by At

Want to find and alert events by this rule:

filter:
 - query:
      query_string:
        query: "message: *tried to login* OR message: *invalid username or password* OR message: *incorrect login attempts* OR message: *Couldn't find user named*"

i.e I want alerting when any of message appear in Elastic index. But it doesn't work. How I can correctly describe this query section?

elastalert
Original Q&A
1

There are 1 best solutions below

0
On

Solved by this:

filter:
 - query:
      query_string:
        query: "message:\"tried to login\" OR message:\"Invalid username or password\""

Related Questions in ELASTALERT

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.