ELK watcher WIP

modules/utilities/unix/logging/watcher/manifests/configure.pp

@@ -0,0 +1,23 @@
+class watcher::configure {
+
+  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
+  $elasticsearch_ip = $secgen_parameters['elasticsearch_ip'][0]
+  $elasticsearch_port = 0 + $secgen_parameters['elasticsearch_port'][0]
+
+  # Search string within kibana for a successful login on account: 'test'
+  # "event.category : user-login and event.type : user_login and auditd.result : success and user.name_map.auid : test"
+
+
+  # TODO: Need some automated curl script that utilises a template to generate "create watcher" request
+
+  # Need to send a request to: "172.16.0.2":9200  [ $elasticsearch_ip:$elasticsearch_port ]
+  # PUT _xpack/watcher/watch/my-watch
+  # templates('watcher/watch.json.erb')
+
+  # First: Get it working within Kibana, there is a testing tool within 'Dev tools' section
+  # Second: Create a way to detect whether the watcher is registered correctly, we can GET the watcher endpoint in kibana to check
+  # Third: Implement functionality so the watcher fires a HTTP request to 172.16.0.2:8080
+  # Fourth: Implement a dummy webserver running on 8080 that can recieve requests + displays their contents on the screen.
+  # Fifth: Look into adding SSL to this whole process.
+
+}

modules/utilities/unix/logging/watcher/secgen_metadata.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0"?>
+
+<utility xmlns="http://www.github/cliffe/SecGen/utility"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://www.github/cliffe/SecGen/utility">
+  <name>Watcher</name>
+  <author>Thomas Shaw</author>
+  <author>Elastic</author>
+  <module_license>Apache v2</module_license>
+  <description>TODO</description>
+
+  <type>log_tool</type>
+  <platform>linux</platform>
+
+  <read_fact>elasticsearch_ip</read_fact>
+  <read_fact>elasticsearch_port</read_fact>
+
+  <default_input into="elasticsearch_ip">
+    <value>localhost</value>
+  </default_input>
+
+  <default_input into="elasticsearch_port">
+    <value>9200</value>
+  </default_input>
+
+  <requires>
+    <type>update</type>
+  </requires>
+
+  <requires>
+    <module_path>.*elasticsearch</module_path>
+  </requires>
+
+</utility>

modules/utilities/unix/logging/watcher/templates/watch.json.erb

@@ -0,0 +1,50 @@
+{
+  "trigger": {
+    "schedule": {
+      "cron": "0 0/1 * * * ?"
+    }
+  },
+  "input": {
+    "search": {
+      "request": {
+        "indices": [
+          "logstash*"
+        ],
+        "body": {
+          "query": {
+            "bool": {
+              "must": {
+                "match": {
+                  "response": 404
+                }
+              },
+              "filter": {
+                "range": {
+                  "@timestamp": {
+                    "from": "{{ctx.trigger.scheduled_time}}||-5m",
+                    "to": "{{ctx.trigger.triggered_time}}"
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+    }
+  },
+  "condition": {
+    "compare": {
+      "ctx.payload.hits.total": {
+        "gt": 0
+      }
+    }
+  },
+  "actions": {
+    "email_admin": {
+      "email": {
+        "to": "admin@domain.host.com",
+        "subject": "404 recently encountered"
+      }
+    }
+  }
+}

modules/utilities/unix/logging/watcher/watcher.pp

@@ -0,0 +1 @@
+include watcher::configure