Alerting change file

[mcoam]

Hello, I've ELK and Beats plugin (auditbeat) for monitoring files and directories and works fine. Now integrate Elastalert, but dont have clarity for create rules for auditbeat index. Someone have any example, please.

Thanks.

[Qmando]

Do you know what you want to alert on?

[mcoam]

Hello, yes, i'm alerting with email notification. I've some test rule (ssh, process) with logstash-* index and works fine, but auditbeat i've a little confusion .

thanks

[Qmando]

What are you confused about? It should work the same whatever the index is.

[mcoam]

For example, with auditbeat i've custom tags for search change in files. From Kibana i search with tags: change and list the file. I need create from elastalert the similar rule with tags: change and alert the event. My confused is ¿How do i search and filter with my custom tags: xxxx?

Thanks.