Hi everyone,
I am building a TICK stack to monitor logs and metrics that come from a network device where I have telegraf running and collecting syslog logs.
From there, I want to build an alert (using a tickscript) when there is an authentication event on the device and MAC address reported on the syslog message is not a “known” one. Alerts go into a telegram bot. Apologies in advanced I am pretty new TICK stack (this is my fourth tickscript) so getting up to speed with it. Sanitized script looks like the following:
var period = 1m var every = 1m // Dataframe var data = batch |query('''SELECT message FROM "telegraf"."autogen"."syslog" WHERE message =~ / authenticated/ ''') .period(period) .every(every) .groupBy('host') |last('message') .as('last_message') |log() // Thresholds var alert = data |eval(lambda: if( strContains("last_message", 'MAC_ADDRESS_IN_HERE'), 'true', 'false' )) .as('mac_present') |alert() .id('{{ index .Tags "host"}}') .message('{{ .ID }} : Successful authentication unknown Mac ') .crit(lambda: "mac_present" == 'false') .telegram() .chatId('CHAT_ID_IN_HERE') |log()
I cant make it work the lambda with the strContains in it (cant really tell what last_message contains at that point). Also on a separate note (less important to that one), cant see how to append the whole message syslog string into the .message.
Thanks for your help.
Kapacitor Version 1.5.5
Chronograf Version: 1.8.4
