Elastalert Not sending Alerts

Amritpal · June 4, 2024, 11:26am

I have Setup Elastalert but it is not sending any alerts in elastalert logs I am keep getting : INFO:elastalert:Ran ELK Rules from 2024-06-04 10:59 UTC to 2024-06-04 11:14 UTC: 0 query hits (0 already seen), 0 matches, 0 alerts sent

this is my config.yam :

rules_folder: elk-rules


run_every:
  minutes: 1


buffer_time:
  minutes: 15


es_host: 127.0.0.1

# The Elasticsearch port
es_port: 9200

writeback_index: elastalert_status
writeback_alias: elastalert_alerts

alert_time_limit:
  days: 2

alert_time_limit:
  days: 2

alert:
- "email"  
  
email:
- "reciever@example.com"

smtp_host: "smtp.example.com"
smtp_port: 587
smtp_ssl: true  
verify_certs: false
smtp_auth_file: '/fakepath/elastalert/.smtp_auth.yaml'
from_addr: "noreply@example.com"

and this is my rules.yaml :

es_host: 127.0.0.1
es_port: 9200
name: ELK Rules
type: frequency
index: filebeat-*
timestamp_field: "@timestamp"
  #timestamp_type: "iso"
timestamp_type: unix
num_events: 1
timeframe:
    minutes: 30
    #hours: 4
filter:
    - query:
        query_string:
          query: "agent.hostname: elk"
  
alert:
- "email"

Below is output which I am getting while executing : elastalert-test-rule --config config.yaml elk-rules/alerts.yaml

INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
            To send them but remain verbose, use --verbose instead.
/usr/local/lib/python3.6/site-packages/elastalert-0.2.4-py3.6.egg/elastalert/loaders.py:95: ResourceWarning: unclosed file <_io.TextIOWrapper name='/usr/local/lib/python3.6/site-packages/elastalert-0.2.4-py3.6.egg/elastalert/schema.yaml' mode='r' encoding='UTF-8'>
  yaml.load(open(os.path.join(os.path.dirname(__file__), 'schema.yaml')), Loader=yaml.FullLoader))
Didn't get any results.
INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
                To send them but remain verbose, use --verbose instead.
1 rules loaded
INFO:apscheduler.scheduler:Adding job tentatively -- it will be properly scheduled when the scheduler starts
INFO:elastalert:Queried rule ELK Rules from 2024-06-04 10:55 UTC to 2024-06-04 11:10 UTC: 0 / 0 hits
INFO:elastalert:Queried rule ELK Rules from 2024-06-04 11:10 UTC to 2024-06-04 11:25 UTC: 0 / 0 hits
INFO:elastalert:Queried rule ELK Rules from 2024-06-04 11:25 UTC to 2024-06-04 11:25 UTC: 0 / 0 hits

Would have written the following documents to writeback index (default is elastalert_status):

elastalert_status - {'rule_name': 'ELK Rules', 'endtime': datetime.datetime(2024, 6, 4, 11, 25, 38, 901658, tzinfo=tzutc()), 'starttime': datetime.datetime(2024, 6, 4, 10, 55, 20, 901658, tzinfo=tzutc()), 'matches': 0, 'hits': 0, '@timestamp': datetime.datetime(2024, 6, 4, 11, 25, 38, 956372, tzinfo=tzutc()), 'time_taken': 0.022226333618164062}

leandrojmp · June 4, 2024, 11:46am

Hello and welcome,

ElastAlert is not an Elastic tool, so it is not supported in this forum, you need to check their github for any issues or questions.

Topic		Replies	Views
Elastalert not sending email Elasticsearch	2	3527	July 5, 2017
ElastAlert Error smtplib.SMTPSenderRefused: (530, b'5.7.0 Authentication Required. Learn more at\n5.7.0 Elasticsearch elastic-stack-monitoring , elastic-stack-alerting , docker	1	411	November 7, 2023
Elastalert to send alert when particular Exception comes Elasticsearch elastic-stack-alerting	2	2115	July 6, 2017
Alert index is not getting generated Elasticsearch elastic-stack-monitoring , elastic-stack-security , elastic-stack-alerting	2	306	June 26, 2023
Less hits from ElastAlert than the count found in ES Logstash	1	535	June 1, 2017

Elastalert Not sending Alerts

Related Topics