Using Environment variables in ElastAlert

I am trying to implement alerts on my data present in elasticsearch using ElastAlert. I would like to know if there is a way to use environment variables or properties file or by exporting the values for changing the fields present in rule types in ElastAlert instead of going and changing the values manually in the rule files to reduce the possibility of an error.For example, my spike rule configuration looks like this:name: Event spiketype: spikeindex: alerting-logs-*threshold_cur: 300timeframe: minutes: 2spike_height: 2spike_type: "up"query...Read more

How do I configure elastalert so it will connect to any server in the cluster?

How do I configure elastalert so it will connect to any available server in the cluster? The docs say: es_host is the address of an Elasticsearch cluster where ElastAlert will store data about its state, queries run, alerts, and errors. Each rule may also use a different Elasticsearch host to query against.but every example I can find just points to one IP address or hostname.I have tried using a list of hostnames such as [elasticserver1, elasticserver2, elasticserver3], but that just causes elastalert to fail to start....Read more

Turned off Elastalert for a couple days, now its querying all data since I turned it off

I'm testing out elastalert, and there was a strange issue on Wednesday, before the holiday weekend, so I just removed all the alert configurations and rebooted elastalert so it had no alerts over the weekend. Now on Monday I turned it back on and its querying all the logs since Wednesday and its taking quite a long time to catch up. I only want to query recent data. Is this a setting? How do I disable it if I want?Here is an example alert config:name: alert-nametype: frequencynum_events: 500timeframe: minutes: 60realert: minutes: 60index:...Read more

elastalert - Query a specific time-range and alert at specific time of the day

I need to run a rule at 2 am, querying logs from 0 to 2 am, and alert if matches are found.So far all the rules I created are frequency rules, but I don't know how to achieve the specific time range for the query, and a specific time for the alert, can someone please help?(I guess the ANY type could let me add my time range as part of the filter....but then how can I run the rule at 2 am every day?)...Read more

How to adjust Kibana Dashboard link in ElastAlert

I have written the following rule type: frequencyfilter:- query: query_string: query: "category:foo.bar AND msg._:*Failure*"alert_text: "Total number of errors cross threshold..... <a href='{0}'>Kibana link</a>"alert_text_args: - kibana_linkalert_text_type: alert_text_onlymy config.yaml is # Kibana Dashboarduse_kibana4_dashboard: http://mykibana.com/When an alert is raised and I click on the hyperlink which I am putting in the message. It takes me to my dashboard.But what I want is that instead of a dashboard it takes to th...Read more

ElastAlert : Access to the Elastic search exposed by Oauth2

Context :ElastAlert v0.1.29 included in Container Docker on OpenShift OrchestratorElasticsearch 2.4.4 exposed by Openshift agregate_logging (with Oauth2)Hello,From Elastalert, i want to connect to Elasticsearch.The authenticate of Elastic use oauth2.The oauth2 requires the X-Proxy-Remote-User and the token in the header of the requests :Ex:curl -k -H "Authorization: Bearer $token" -H "X-Proxy-Remote-User: $(oc whoami)" -H "X-Forwarded-For: 127.0.0.1" https://es.example.test/_cat/indicesI believe that ElastAlert doesn't support the authenticate ...Read more

elastalert configure slack notification

hi trying configure slack notification in test.yaml file , getting the below error ERROR:root:Could not load rule /opt/rules/test.yaml: Error initiating alert ['slack', {'slack_webhook_url': 'https://hooks.slack.com/servichttps://hooks.slack.com/services/abcd'}]: Could not import module slack_webhook_url: need more than 1 value to unpackalert:"slack"slack_webhook_url: "https://hooks.slack.com/servichttps://hooks.slack.com/services/abcd"is this the correct way to define the slack alert...Read more

How to adjust @timestamp to local time zone in Elastalert

i'm trying to adjust returned datetime value proper for my time zone. My notifications looks like this:An abnormally low number of events occurred around 2016-09-28 22:49 CEST.And this is proper date refered to my time zone.In field's section in notification I'm getting time for UTC-0 zone:@timestamp: 2016-09-28T20:49:44.711696ZI have tried to use Enhancement this way,file in ..\elastalert\elastalert_modulesfrom datetime import datetimefrom elastalert.enhancements import BaseEnhancementclass TimeEnhancement(BaseEnhancement): def process(self...Read more

Elastalert rule for CPU usage in percentage

I am facing issue with elastalert rule for CPU usage (not load average). I am not getting any hit and match. Below is my .yaml file for CPU rule:name: CPU usgaetype: metric_aggregationindex: metricbeat-*buffer_time: minutes: 10metric_agg_key: system.cpu.total.pctmetric_agg_type: avgquery_key: beat.hostnamedoc_type: docbucket_interval: minutes: 5sync_bucket_interval: truemax_threshold: 60.0filter:- term: metricset.name: cpualert:- "email"email:- "xyz@xy.com"Can you please help me what changes i need to make in my rule.Any assistance will be...Read more

Is it possible not to display rule name in ElastAlert alerts?

I'm using a custom rule with a custom alerter that writes the alerts in a text file, and i'd like not to have the name of the rule written before alerts, given that only that specific rule will write in this file. Is there any option to only write the rule type text or the alert text ?Or something to create my own alert text type ? Ideally i'd like my alert texts to be only the ruletype_text...Read more

Elastalert 'spike' rule alerting on 0 events being greater than 0 events

I am using elastalert HEAD as of today.I am using this rule:es_host: *******es_port: 443use_ssl: Truename: Mike Learning Twotype: spikeindex: cwl-*threshold: 2timeframe: minutes: 1spike_height: 2spike_type: "up"filter:- query: query_string: query: "status:404"alert:- "debug"And it does indeed detect spikes. But sometimes it alerts with this message:INFO:elastalert:Alert for Mike Learning Two at 2016-03-30T08:27:52.137927Z:INFO:elastalert:Mike Learning TwoAn abnormal number (0) of events occurred around 2016-03-30 08:27 UTC.Preceding t...Read more