update watcher examples for 7.x (#333)

* added remote cluster support (add endpoint arg)
* fixed deprecation issues

Author: DanRoscigno

Alerting/Sample Watches/README.md

@@ -24,11 +24,11 @@ In each watch directory the following is provided:
 
 The parent directory includes the following utility scripts:
 
-* run_test.py - A python script which can be used to run a specific test e.g. python run_test.py --test_file new_process_started/tests/test1.json. Include optional username and password with --user and --password parameters.
+* run_test.py - A python script which can be used to run a specific test e.g. python run_test.py --test_file new_process_started/tests/test1.json. Include optional username and password with --user, --password, --endpoint, --port, and --protocol parameters.
 * load_watch.sh.  Utility script for loading a watch to a local Elasticsearch cluster.  Each watch can be loaded by running `load_watch.sh <watch folder name>`.  This will also index any scripts. Username and password for the cluster can be specified as parameters e.g.
-`load_watch.sh <watch folder name> <username> <password> <protocol>`
-* run_test.sh - Runs a specified watches tests. Specify watch by directory name e.g. `run_test.sh port_scan`. Include optional username and password e.g. `run_test.sh port_scan <username> <password> <protocol>`.
-* run_all_tests.sh - Runs all tests. Include optional username and password e.g. `run_all_tests.sh <username> <password> <protocol>`.
+`load_watch.sh <watch folder name> <optional_username> <optional_password> <optional_endpoint>:<optional_port> <optional_protocol>"`
+* run_test.sh - Runs a specified watches tests. Specify watch by directory name e.g. `run_test.sh port_scan`. Include optional username and password e.g. `run_test.sh <watch folder name> <username> <password> <endpoint> <protocol>`.
+* run_all_tests.sh - Runs all tests. Include optional username and password e.g. `run_all_tests.sh <username> <password> <endpoint> <protocol>`.
 
 If username, password, and protocol are not specified, the above scripts assume the x-pack default of "elastic", "changeme", and "http" respectively.
 

Alerting/Sample Watches/cpu_iowait_hosts/mapping.json

@@ -1,6 +1,5 @@
 {
   "mappings": {
-    "doc":{
       "properties": {
         "beat":{
           "properties": {
@@ -106,6 +105,5 @@
           }
         }
       }
-    }
   }
-}
+}

Alerting/Sample Watches/cpu_iowait_hosts/watch.json

@@ -16,9 +16,6 @@
                 "indices": [
                     "metricbeat-*"
                 ],
-                "types": [
-                    "doc"
-                ],
                 "body": {
                   "size": 0,
                   "aggs": {
@@ -27,7 +24,7 @@
                         "per_minute": {
                           "date_histogram": {
                             "field": "@timestamp",
-                            "interval": "{{ctx.metadata.interval}}"
+                            "fixed_interval": "{{ctx.metadata.interval}}"
                           },
                           "aggs": {
                             "iowait": {
@@ -84,4 +81,4 @@
 	          }
         }
     }
-}
+}

Alerting/Sample Watches/errors_in_logs/mapping.json

@@ -1,6 +1,5 @@
 {
   "mappings": {
-    "doc": {
       "properties": {
         "@timestamp": {
           "type": "date",
@@ -13,6 +12,5 @@
           "type": "keyword"
         }
       }
-    }
   }
-}
+}

Alerting/Sample Watches/filesystem_usage/mapping.json

@@ -1,6 +1,5 @@
 {
   "mappings": {
-    "filesystem":{
       "properties": {
         "hostname":{
           "type": "keyword"
@@ -12,6 +11,5 @@
           "type":"date"
         }
       }
-    }
   }
-}
+}

Alerting/Sample Watches/filesystem_usage/watch.json

@@ -14,9 +14,6 @@
         "indices": [
           "logs"
         ],
-        "types": [
-          "filesystem"
-        ],
         "body": {
           "aggs": {
             "host": {
@@ -75,9 +72,9 @@
     "log": {
       "logging": {
         "text": {
-          "inline": "Some hosts are over {{ctx.payload.threshold}}% utilized:{{#ctx.payload.hosts}}{{disk_usage}}%-{{key}}:{{/ctx.payload.hosts}}"
+          "source": "Some hosts are over {{ctx.payload.threshold}}% utilized:{{#ctx.payload.hosts}}{{disk_usage}}%-{{key}}:{{/ctx.payload.hosts}}"
         }
       }
     }
   }
-}
+}

Alerting/Sample Watches/lateral_movement_in_user_comm/mapping.json

@@ -1,6 +1,5 @@
 {
   "mappings": {
-    "doc": {
       "properties": {
         "user_server": {
           "type": "keyword"
@@ -14,6 +13,5 @@
           "format": "HH:mm:ss||strict_time_no_millis"
         }
       }
-    }
   }
-}
+}

Alerting/Sample Watches/load_watch.sh

@@ -60,14 +60,15 @@ do
     fi
 done
 
-echo "Loading $1 watch "
 
-curl -H "Content-Type: application/json" -s -o /dev/null -X DELETE $endpoint:$port/_xpack/watcher/watch/$1 -u $username:$password
+echo "Removing existing $1 watch "
+curl -H "Content-Type: application/json" -s -X DELETE $protocol$endpoint:$port/_xpack/watcher/watch/$1 -u $username:$password
+echo "Loading $1 watch "
 es_response=$(curl -H "Content-Type: application/json" --w "%{http_code}" -s -o /dev/null -X PUT $protocol$endpoint:$port/_xpack/watcher/watch/$1 -u $username:$password -d @$1/watch.json)
 if [ 0 -eq $? ] && [ $es_response = "201" ]; then
-  echo "Loading $2 watch...OK"
+  echo "Loading $1 watch...OK"
   exit 0
 else
-  echo "Loading $2 watch...FAILED"
+  echo "Loading $1 watch...FAILED with response code $es_response"
   exit 1
 fi

Alerting/Sample Watches/monitoring_cluster_health/mapping.json

@@ -1,6 +1,5 @@
 {
   "mappings": {
-    "doc": {
       "date_detection": false,
       "properties": {
         "cluster_state": {
@@ -37,6 +36,5 @@
           "type": "keyword"
         }
       }
-    }
   }
-}
+}

Alerting/Sample Watches/monitoring_cluster_health/tests/test1.json

@@ -1,7 +1,7 @@
 {
   "watch_name":"monitoring_cluster_health",
   "mapping_file":"./monitoring_cluster_health/mapping.json",
-  "index":".monitoring-es-test",
+  "index":"monitoring-es-test",
   "type":"doc",
   "time_field":"timestamp",
   "watch_file":"./monitoring_cluster_health/watch.json",