Watch for file changes with Alerting OpenDistro for Elasticsearch

Today there was a need to monitor changes of certain files on the server, there are many different ways for example osquery from facebook , but since I recently started using Open Distro for Elasticsearch I decided to monitor the files with an elastic, one of its beat'ov .

I will not describe the installation of the Elastics stack and Auditbeat, everything according to the manuals, the only thing after installation is to edit the auditbeat.yml file, add the path to the monitored file to the file_integrity module.

After setting up and running, an auditbeat- * index will appear in kibana

Next, we create the monitoring, specify the monitoring name, check interval, as well as the type of monitoring and the index file:

In the Define extraction query we write the following:

{ "query": { "bool": { "must": [ { "match_phrase": { "file.path": { "query": "</  >" } } } ], "filter": [ { "term": { "event.action": { "value": "attributes_modified" # ,  created  deleted } } }, { "range": { "@timestamp": { "from": "now-1m" #     } } } ], "adjust_pure_negative": true, "boost": 1 } } } 

After we press the Run button and check the request, this should appear:

We try to change the target file and run the query again:

as you see, hits has changed to 2, click update and create a trigger for changing values:

We leave everything as in the picture.

Then you can set up notifications in slack or another messenger.