Elastalert Not sending Alerts

Amritpal · June 4, 2024, 11:26am

I have Setup Elastalert but it is not sending any alerts in elastalert logs I am keep getting : INFO:elastalert:Ran ELK Rules from 2024-06-04 10:59 UTC to 2024-06-04 11:14 UTC: 0 query hits (0 already seen), 0 matches, 0 alerts sent

this is my config.yam :

rules_folder: elk-rules


run_every:
  minutes: 1


buffer_time:
  minutes: 15


es_host: 127.0.0.1

# The Elasticsearch port
es_port: 9200

writeback_index: elastalert_status
writeback_alias: elastalert_alerts

alert_time_limit:
  days: 2

alert_time_limit:
  days: 2

alert:
- "email"  
  
email:
- "reciever@example.com"

smtp_host: "smtp.example.com"
smtp_port: 587
smtp_ssl: true  
verify_certs: false
smtp_auth_file: '/fakepath/elastalert/.smtp_auth.yaml'
from_addr: "noreply@example.com"

and this is my rules.yaml :

es_host: 127.0.0.1
es_port: 9200
name: ELK Rules
type: frequency
index: filebeat-*
timestamp_field: "@timestamp"
  #timestamp_type: "iso"
timestamp_type: unix
num_events: 1
timeframe:
    minutes: 30
    #hours: 4
filter:
    - query:
        query_string:
          query: "agent.hostname: elk"
  
alert:
- "email"

Below is output which I am getting while executing : elastalert-test-rule --config config.yaml elk-rules/alerts.yaml

INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
            To send them but remain verbose, use --verbose instead.
/usr/local/lib/python3.6/site-packages/elastalert-0.2.4-py3.6.egg/elastalert/loaders.py:95: ResourceWarning: unclosed file <_io.TextIOWrapper name='/usr/local/lib/python3.6/site-packages/elastalert-0.2.4-py3.6.egg/elastalert/schema.yaml' mode='r' encoding='UTF-8'>
  yaml.load(open(os.path.join(os.path.dirname(__file__), 'schema.yaml')), Loader=yaml.FullLoader))
Didn't get any results.
INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
                To send them but remain verbose, use --verbose instead.
1 rules loaded
INFO:apscheduler.scheduler:Adding job tentatively -- it will be properly scheduled when the scheduler starts
INFO:elastalert:Queried rule ELK Rules from 2024-06-04 10:55 UTC to 2024-06-04 11:10 UTC: 0 / 0 hits
INFO:elastalert:Queried rule ELK Rules from 2024-06-04 11:10 UTC to 2024-06-04 11:25 UTC: 0 / 0 hits
INFO:elastalert:Queried rule ELK Rules from 2024-06-04 11:25 UTC to 2024-06-04 11:25 UTC: 0 / 0 hits

Would have written the following documents to writeback index (default is elastalert_status):

elastalert_status - {'rule_name': 'ELK Rules', 'endtime': datetime.datetime(2024, 6, 4, 11, 25, 38, 901658, tzinfo=tzutc()), 'starttime': datetime.datetime(2024, 6, 4, 10, 55, 20, 901658, tzinfo=tzutc()), 'matches': 0, 'hits': 0, '@timestamp': datetime.datetime(2024, 6, 4, 11, 25, 38, 956372, tzinfo=tzutc()), 'time_taken': 0.022226333618164062}

leandrojmp · June 4, 2024, 11:46am

Hello and welcome,

ElastAlert is not an Elastic tool, so it is not supported in this forum, you need to check their github for any issues or questions.

Topic		Replies	Views
Elastalert not sending email Elasticsearch	2	3528	July 5, 2017
Config elastalert Kibana	2	692	October 2, 2019
Elastalert send me 0 hit query doesn't work ? please help Kibana	3	993	October 7, 2021
ElastAlert Error smtplib.SMTPSenderRefused: (530, b'5.7.0 Authentication Required. Learn more at\n5.7.0 Elasticsearch elastic-stack-monitoring , elastic-stack-alerting , docker	1	413	November 7, 2023
Elastalert plugin in ELK 7.9.0 Elasticsearch	3	937	October 6, 2020

Elastalert Not sending Alerts

Related topics