About Elastalert errors

Elastic Stack Elasticsearch
1

We would like to use elasrticsearch and kibana to achieve the ability to email administrators about unusual events.
We're using elastalert2 for this purpose but the filter is in error.

We have spent a lot of time on this problem, but have not been able to solve.
So we are consulting with those who are on the road ahead. Please help us.
My elastalert commands and results are as follows,

elastalert-test-rule --config elastalert2/config.yaml examples/rules/example_frequency.yaml --alert

##########################

##########################
Error running your filter:
TypeError("Elasticsearch.search() got multiple values for argument 'body'")

1 rules loaded
INFO:apscheduler.scheduler:Adding job tentatively -- it will be properly scheduled when the scheduler starts
INFO:elastalert:Queried rule Example frequency rule from 2023-03-29 23:21 UTC to 2023-03-29 23:36UTC: 0 / 0 hits
INFO:elastalert:Queried rule Example frequency rule from 2023-03-29 23:36 UTC to 2023-03-29 23:51UTC: 0 / 0 hits
INFO:elastalert:Queried rule Example frequency rule from 2023-03-29 23:51 UTC to 2023-03-30 00:06UTC: 0 / 0 hits
INFO:elastalert:Queried rule Example frequency rule from 2023-03-30 00:06 UTC to 2023-03-30 00:21UTC: 0 / 0 hits
INFO:elastalert:Queried rule Example frequency rule from 2023-03-30 00:21 UTC to 2023-03-30 00:22UTC: 0 / 0 hits

Would have written the following documents to writeback index (default is elastalert_status):

elastalert_status - {'rule_name': 'Example frequency rule', 'endtime': datetime.datetime(2023, 3,30, 0, 22, 6, 480746, tzinfo=tzutc()), 'starttime': datetime.datetime(2023, 3, 29, 23, 21, 30, 480746,
tzinfo=tzutc()), 'matches': 0, 'hits': 0, '@timestamp': datetime.datetime(2023, 3, 30, 0,22, 6, 548239, tzinfo=tzutc()), 'time_taken': 0.03283810615539551}

##########################
My elastalert rule file is as follows.

name: Example frequency rule
type: frequency
index: winlogbeat-7.6.2-*
num_events: 1
timeframe:
hours: 1
filter:

  • term:
    hostname: ".xxx.xxx.co.jp"
    alert:
  • "email"
    email:
  • "xxx.xxx@xxxxxxxxxx.co.jp"
    smtp_host: "xxxxxxmail.jp"
    smtp_port: 25
    smtp_ssl: false
    from_addr: "xxxxxxxxx@xxxx.xxxxx.co.jp"
    alert_text_type: alert_text_only
2

I'm not sure we can help as this is a non supported plugin/tool. You should better ask the authors or switch to the built in alerting system.

Note that some alert connectors require a commercial license or are available when running your clusters on cloud.elastic.co.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.