[DEFAULT]
QueryIndices = ""

[query_authlog_root_login]
# The DEFAULT settings can be overridden.
QueryIntervalSecs = 60
QueryTimeoutSecs = 15
QueryIndices = <*-authlog-*>
QueryOnError = drop
QueryOnMissing = drop
QueryJson = {
        "size": 0,
        "query": {
          "bool": {
            "must": [],
            "filter": [
              {
                "range": {
                  "@timestamp": {
                    "format": "strict_date_optional_time",
                    "gte": "now-5m/m",
                    "lte": "now"
                  }
                }
              },
              {
                "exists": {
                  "field": "system.auth.user"
                }
              },
              {
                "match_phrase": {
                  "system.auth.user": "root"
                }
              }
            ]
          }
        }
    }