Cannot set up email alert in Watcher

Hi,

I installed x-pack (both in Elasticsearch and Kibana, and also restarted all services) and tried to set an email alert by using watcher. However, when I clicked "test fire email", it gave me error showing " Watcher: Cannot read property 'message' of null" and then the browser forced me to quit the page and had to re-login. Couple weird things happened when I have been doing the watcher email alert configuration:

  1. Every time when I installed x-pack ( I have tried install ELK in both CentOS and Ubuntu), the Kibana would just stop to receive any information from metricbeats and showed "no result found " page.
  2. The last time I set this alert configuration, it showed me different error, which was "MessagingException: can't determine local email address"

Does anyone have any idea what is the problem? Thanks!

Hi,

Couple of questions: Which version of ES/Kibana you are on?
Did you set up your email alerts in Elasticsearch.yml?

https://www.elastic.co/guide/en/x-pack/current/actions-email.html#configuring-email-attachments

Thanks,
Bhavya

1 Like

I saw something like this yesterday. For me, I had to specify the "profile" to match the email account specified in Elasticsearch.yml when configuring the email action of the watch.

"actions" : {
  "send_email" : { 
    "email" : { 
      "profile": "outlook"
      "to" : "<username>@<domainname>", 
      "subject" : "Watcher Notification", 
      "body" : "{{ctx.payload.hits.total}} error logs found" 
    }
  }
}
2 Likes

Hi Bhavya,

Thanks for your reply!

I am using all the newest version ES/Kibana/Metricbeat, which is 6.1. I did set the gmail email setting in elasticsearch.yml by following the reference. Actually, my gmail can get the security alert once I was trying to test the email configuration in watch, which means the elasticsearch was able to communicate with the gmail. But once I lowered the security configuration in gmail, it popped up another error, which was showing in the picture..

Thanks,
Chen

Hi David,

Thanks for your reply!

Actually, I am quite new to Elasticsearch, so what I did just follow the reference. And according to the reference, the only configuration I did in Elasticserach.yml was that I added the following :

xpack.notification.email.account:
gmail_account:
profile: gmail
smtp:
auth: true
starttls.enable: true
host: smtp.gmail.com
port: 587
user:
password:

So do you mean I need to add the "actions", which you quoted, to the elasticsearch.yml in order to trigger the email alert feature?

Thanks,

Chen

My suggestion would be to add "profile" : "gmail" into the email action of the watch. That should be the only additional parameter.

Can you clarify what this involved?

2 Likes

Hi David,

Thanks for getting back to me!

Actually I was not quite familiar with some basic API operation, such as add the action. The error I got occurred when I set the watch configuration on Kibana webpage by clicking"Test fire an e-mail now" button ... But today, I tried to add a watch by using API method, the email alert worked! My gmail got the email from Elasticsearch. So I am assuming the problem is the testing feature, not the email setting. I just post the action I successfully executed for reference. Again, thanks for your help. Really appreciate!

"actions" : {
"my_webhook" : {
"webhook" : {
"method" : "POST",
"host" : "mylisteninghost",
"port" : 9200,
"path" : "/{{watch_id}}",
"body" : "Encountered {{ctx.payload.hits.total}} errors"
}
},
"email_administrator" : {
"email" : {
"to" : "xxxxxxxx@gmail.com",
"subject" : "Encountered {{ctx.payload.hits.total}} errors",
"body" : "Too many error in the system, see attached data",
"attachments" : {
"attached_data" : {
"data" : {
"format" : "json"
}
}
},
"priority" : "high"
}
}
}

I think I solved the problem. The reason I couldn't get any metricbeat info after instaling x-pack was I didn't set username and password in metribeat.yml . And the error I got when I was trying to send a "test email" still exists, however, it is able to send an alert email when I set an appropriate action. So I just ignore the error.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.