About Elastalert errors

YUUTA.INOUE-JPN · April 3, 2023, 12:26am

We would like to use elasrticsearch and kibana to achieve the ability to email administrators about unusual events.
We're using elastalert2 for this purpose but the filter is in error.

We have spent a lot of time on this problem, but have not been able to solve.
So we are consulting with those who are on the road ahead. Please help us.
My elastalert commands and results are as follows,

elastalert-test-rule --config elastalert2/config.yaml examples/rules/example_frequency.yaml --alert

##########################

##########################
Error running your filter:
TypeError("Elasticsearch.search() got multiple values for argument 'body'")

1 rules loaded
INFO:apscheduler.scheduler:Adding job tentatively -- it will be properly scheduled when the scheduler starts
INFO:elastalert:Queried rule Example frequency rule from 2023-03-29 23:21 UTC to 2023-03-29 23:36UTC: 0 / 0 hits
INFO:elastalert:Queried rule Example frequency rule from 2023-03-29 23:36 UTC to 2023-03-29 23:51UTC: 0 / 0 hits
INFO:elastalert:Queried rule Example frequency rule from 2023-03-29 23:51 UTC to 2023-03-30 00:06UTC: 0 / 0 hits
INFO:elastalert:Queried rule Example frequency rule from 2023-03-30 00:06 UTC to 2023-03-30 00:21UTC: 0 / 0 hits
INFO:elastalert:Queried rule Example frequency rule from 2023-03-30 00:21 UTC to 2023-03-30 00:22UTC: 0 / 0 hits

Would have written the following documents to writeback index (default is elastalert_status):

elastalert_status - {'rule_name': 'Example frequency rule', 'endtime': datetime.datetime(2023, 3,30, 0, 22, 6, 480746, tzinfo=tzutc()), 'starttime': datetime.datetime(2023, 3, 29, 23, 21, 30, 480746,
tzinfo=tzutc()), 'matches': 0, 'hits': 0, '@timestamp': datetime.datetime(2023, 3, 30, 0,22, 6, 548239, tzinfo=tzutc()), 'time_taken': 0.03283810615539551}

##########################
My elastalert rule file is as follows.

name: Example frequency rule
type: frequency
index: winlogbeat-7.6.2-*
num_events: 1
timeframe:
hours: 1
filter:

term:
hostname: ".xxx.xxx.co.jp"
alert:
"email"
email:
"xxx.xxx@xxxxxxxxxx.co.jp"
smtp_host: "xxxxxxmail.jp"
smtp_port: 25
smtp_ssl: false
from_addr: "xxxxxxxxx@xxxx.xxxxx.co.jp"
alert_text_type: alert_text_only

dadoonet · April 3, 2023, 5:57am

I'm not sure we can help as this is a non supported plugin/tool. You should better ask the authors or switch to the built in alerting system.

Note that some alert connectors require a commercial license or are available when running your clusters on cloud.elastic.co.

system · May 1, 2023, 5:57am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastalert not sending email Elasticsearch	2	3527	July 5, 2017
Elastalert Not sending Alerts Elasticsearch elastic-stack-alerting	1	140	June 4, 2024
Feasibility to send alerts only if consecutive errors are occurred using elastalert Elasticsearch	4	206	October 10, 2023
Elastisearch query rule type hits contains only one document Logs elastic-stack-alerting	16	1951	August 30, 2021
Count of hits per error Elasticsearch elastic-stack-alerting	2	368	June 25, 2019

About Elastalert errors

Related Topics