Add an Elastic Watch

Add-ElasticWatch.ps1

function Add-ElasticWatch-v2($name, $body) {
    $uri = "http://localhost:9200/_watcher/watch/" + $name
    
    Add-ElasticWatch($name, $uri, $body)
}

function Add-ElasticWatch-v5($name, $body) {
    $uri = "http://localhost:9200/_xpack/watcher/watch/" + $name
    
    Add-ElasticWatch($name, $uri, $body)
}

function Add-ElasticWatch($name, $uri, $body) {
    Invoke-WebRequest -Uri $uri -Method Put -Headers @{ Authorization = "Basic [AuthorizationToken]" } -Body $body
}

Add-ElasticWatch-v2 -name [NAME] -body '{   	
	"trigger" : { "schedule" : { "interval" : "1m" } },   	
	"input" : {     		
		"search" : {       			
			"request" : {         				
				"indices" : [ "logging-*" ],         				
				"body" : { 
					"query" : { 
						"bool" : { 
							"must" : [
								{
									"query_string" : { 
										"default_field" : "providerName",
										"query" : "[QUERY STRING]"
									}
								},
								{
									"query_string" : {
										"default_field" : "eventId",
										"query" : "16"
									}
								}]
							}
						}
					}
				}		
			}     		
		}   	
	},   	
	"actions": { 	 		
		"monitoring_webhook" : {  		 			
			"webhook" : { 		  				
				"method" : "POST",  		  				
				"host" : "localhost", 				
				"port": 8448, 				
				"path":"/api",  		  				
				"body" : "{ \"alertModelLevel\": \"0\", \"subject\":\"[SUBJECT]\", \"body\": \"{{#toJson}}ctx{{/toJson}}\" }"  		 			
			} 	 		
		}   	
	} 
}'

ElasticSearch Logging – Deployment & configuration

1. Browse the elastic search directory, e.g.
   $ cd C:\Program Files\elasticsearch-2.1.1\bin
2. Install two plugins, License and Shield

$ plugin install license
$ plugin install shield

3. Browse the shield directory, e.g.
   $ cd C:\Program Files\elasticsearch-2.1.1\bin\shield
4. Create a new user named es_admin with the role admin, e.g.
   $ esusers useradd es_admin -r admin -p secret
5. Update kibana.yml with user credentials

elasticsearch.username: es_admin
elasticsearch.password: secret

6. Update service fabric projects with password - PackageRoot > Config > Settings.xml

 <Section Name="ElasticSearchEventListener">
    <Parameter Name="serviceUri" Value="http://localhost:9200" />
    <Parameter Name="indexNamePrefix" Value="logging" />
    <Parameter Name="enabled" Value="true" />
    <Parameter Name="userName" Value="es_admin" />
    <Parameter Name="password" Value="secret" />  
  </Section>

7. Browse the elastic search directory, e.g.
   $ cd C:\Program Files\elasticsearch-2.1.1\bin

8. Install watcher
   $ plugin install watcher

9. Restart elastic service

10. Add notification configuration in elasticsearch.yml (this will most likely be replaced by webhook), e.g.

watcher.actions.email.service.account:
    outlook_account:
        profile: outlook
        smtp:
            auth: true
            starttls.enable: true
            host: smtp-mail.outlook.com
            port: 587
            user: <username>
            password: <password>

11. Add a watch - named 'log_servicetyperegistered_watch', example notifies when ServiceTypeRegistered event occurs in logging (authorization header is base64 encoded username:password)
    Email example:

curl -XPUT 'http://localhost:9200/_watcher/watch/log_servicetyperegistered_watch' -H "Authorization: Basic [AuthorisationToken]" -d '{
  "trigger" : {
    "schedule" : { "interval" : "30m" } 
  },
  "input" : {
    "search" : {
      "request" : {
        "indices" : [ "logging-*" ],
        "body" : {
          "query" : {
            "match" : { "eventName": "ServiceTypeRegistered" }
          }
        }
      }
    }
  },
  "actions": {
    "send_email": { 
      "email": {
        "to": "user@org", 
        "subject": "Watcher Notification - ServiceTypeRegistered",
        "body": "A ServiceTypeRegistered message was received."
      }
    }
  }
}'

Webhook example **:

curl -XPUT 'http://localhost:9200/_watcher/watch/log_servicetyperegistered_watch' -H "Authorization: Basic [AuthorisationToken]" -d '{   
	"trigger" : {     
		"schedule" : { "interval" : "1m" }    
	},   
	"input" : {     
		"search" : {       
			"request" : {         
				"indices" : [ "logging-*" ],         
				"body" : {           
					"query" : {             
						"match" : { 
							"eventName": "ServiceTypeRegistered" 
						}           
					}         
				}       
			}     
		}   
	},   
	"actions": { 	
		"my_webhook" : {  		
			"webhook" : { 		  
				"method" : "POST",  		  
				"host" : "localhost", 
				"port": 8080, 
				"path":"/api",  		  
				"body" : "ServiceTypeRegistered events received: {{ctx.payload.hits.total}}"  		
			} 	
		}   
	} 
}'

12. Monitor watches
    • Go to the Kibana Settings > Indices tab.
    • Enter .watch_history* in the Index name or pattern field.
    • Click in the Time field name field and select trigger_event.triggered_time
    • Go to the Discover tab to see the most recently executed watches.

** Note:
To test the webhook example above I used the following code to create a Nancy micro-service in LinqPad

void Main()
{
	using (var host = new Nancy.Hosting.Self.NancyHost(
						new Uri("http://localhost:8080"), 
						new LinqpadNancyBootstrapper(), 
						new HostConfiguration { UrlReservations = new UrlReservations { CreateAutomatically = true } }))
	{
		host.Start();
		Console.ReadLine();
	}
}

public class HelloModule : Nancy.NancyModule
{
	public HelloModule() : base("api")
	{
		Get["/"] = parameters => "Hello World";
		Post["/"] = parameters => { Context.Request.Body.AsString().Dump(); return HttpStatusCode.OK; };
	}
}

public class LinqpadNancyBootstrapper : Nancy.DefaultNancyBootstrapper
{
	protected override void ConfigureApplicationContainer(Nancy.TinyIoc.TinyIoCContainer container)
	{
	}
}