I have Setup Elastalert but it is not sending any alerts in elastalert logs I am keep getting : INFO:elastalert:Ran ELK Rules from 2024-06-04 10:59 UTC to 2024-06-04 11:14 UTC: 0 query hits (0 already seen), 0 matches, 0 alerts sent
this is my config.yam :
rules_folder: elk-rules
run_every:
minutes: 1
buffer_time:
minutes: 15
es_host: 127.0.0.1
# The Elasticsearch port
es_port: 9200
writeback_index: elastalert_status
writeback_alias: elastalert_alerts
alert_time_limit:
days: 2
alert_time_limit:
days: 2
alert:
- "email"
email:
- "reciever@example.com"
smtp_host: "smtp.example.com"
smtp_port: 587
smtp_ssl: true
verify_certs: false
smtp_auth_file: '/fakepath/elastalert/.smtp_auth.yaml'
from_addr: "noreply@example.com"
and this is my rules.yaml :
es_host: 127.0.0.1
es_port: 9200
name: ELK Rules
type: frequency
index: filebeat-*
timestamp_field: "@timestamp"
#timestamp_type: "iso"
timestamp_type: unix
num_events: 1
timeframe:
minutes: 30
#hours: 4
filter:
- query:
query_string:
query: "agent.hostname: elk"
alert:
- "email"
Below is output which I am getting while executing : elastalert-test-rule --config config.yaml elk-rules/alerts.yaml
INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
To send them but remain verbose, use --verbose instead.
/usr/local/lib/python3.6/site-packages/elastalert-0.2.4-py3.6.egg/elastalert/loaders.py:95: ResourceWarning: unclosed file <_io.TextIOWrapper name='/usr/local/lib/python3.6/site-packages/elastalert-0.2.4-py3.6.egg/elastalert/schema.yaml' mode='r' encoding='UTF-8'>
yaml.load(open(os.path.join(os.path.dirname(__file__), 'schema.yaml')), Loader=yaml.FullLoader))
Didn't get any results.
INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
To send them but remain verbose, use --verbose instead.
1 rules loaded
INFO:apscheduler.scheduler:Adding job tentatively -- it will be properly scheduled when the scheduler starts
INFO:elastalert:Queried rule ELK Rules from 2024-06-04 10:55 UTC to 2024-06-04 11:10 UTC: 0 / 0 hits
INFO:elastalert:Queried rule ELK Rules from 2024-06-04 11:10 UTC to 2024-06-04 11:25 UTC: 0 / 0 hits
INFO:elastalert:Queried rule ELK Rules from 2024-06-04 11:25 UTC to 2024-06-04 11:25 UTC: 0 / 0 hits
Would have written the following documents to writeback index (default is elastalert_status):
elastalert_status - {'rule_name': 'ELK Rules', 'endtime': datetime.datetime(2024, 6, 4, 11, 25, 38, 901658, tzinfo=tzutc()), 'starttime': datetime.datetime(2024, 6, 4, 10, 55, 20, 901658, tzinfo=tzutc()), 'matches': 0, 'hits': 0, '@timestamp': datetime.datetime(2024, 6, 4, 11, 25, 38, 956372, tzinfo=tzutc()), 'time_taken': 0.022226333618164062}