Elastalert send me 0 hit query doesn't work ? please help

--------------my config.yaml------------

This is the folder that contains the rule yaml files

Any .yaml file will be loaded as a rule

rules_folder: example_rules

How often ElastAlert will query Elasticsearch

The unit can be anything from weeks to seconds

run_every:
minutes: 1

ElastAlert will buffer results from the most recent

period of time, in case some log sources are not in real time

buffer_time:
minutes: 15

The Elasticsearch hostname for metadata writeback

Note that every rule can have its own Elasticsearch host

es_host: 192.168.3.98

The Elasticsearch port

es_port: 9200

The AWS region to use. Set this when using AWS-managed elasticsearch

#aws_region: us-east-1

The AWS profile to use. Use this if you are using an aws-cli profile.

See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html

for details

#profile: test

Optional URL prefix for Elasticsearch

#es_url_prefix: elasticsearch

Connect with TLS to Elasticsearch

use_ssl: true

#Verify TLS certificates
#verify_certs: false

GET request with body is the default option for Elasticsearch.

If it fails for some reason, you can pass 'GET', 'POST' or 'source'.

See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport

for details

#es_send_get_body_as: GET

Option basic-auth username and password for Elasticsearch

es_username: elastic
es_password: Mypasword

Use SSL authentication with client certificates client_cert must be

a pem file containing both cert and key for client

verify_certs: true
ca_certs: /etc/ca-certificates/ca.crt
#client_cert: /path/to/client_cert.pem
#client_key: /home/aspire/master/master.key

The index on es_host which is used for metadata storage

This can be a unmapped index, but it is recommended that you run

elastalert-create-index to set a mapping

writeback_index: elastalert_status
writeback_alias: elastalert_alerts

If an alert fails for some reason, ElastAlert will retry

sending the alert until this time period has elapsed

alert_time_limit:
days: 2

           --------    my rules--------

--lnx_file_or_folder_permissions.yaml--

name: file_or_folder_permissions_change_0
description: Detects file and folder permission changes
index: auditbeat-*
priority: 4
realert:
minutes: 0
filter:

  • query_string:
    query: (a0:( chmod OR chown ) AND type:"EXECVE")
    type: any
    alert:
  • debug

-------result show--------
elastalert-test-rule --config config.yaml example_rules/lnx_file_or_folder_permissions.yaml

INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
To send them but remain verbose, use --verbose instead.
Didn't get any results.
INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
To send them but remain verbose, use --verbose instead.
1 rules loaded
INFO:apscheduler.scheduler:Adding job tentatively -- it will be properly scheduled when the scheduler starts
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 11:14 +06 to 2021-09-08 11:29 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 11:29 +06 to 2021-09-08 11:44 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 11:44 +06 to 2021-09-08 11:59 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 11:59 +06 to 2021-09-08 12:14 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 12:14 +06 to 2021-09-08 12:29 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 12:29 +06 to 2021-09-08 12:44 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 12:44 +06 to 2021-09-08 12:59 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 12:59 +06 to 2021-09-08 13:14 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 13:14 +06 to 2021-09-08 13:29 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 13:29 +06 to 2021-09-08 13:44 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 13:44 +06 to 2021-09-08 13:59 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 13:59 +06 to 2021-09-08 14:14 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 14:14 +06 to 2021-09-08 14:29 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 14:29 +06 to 2021-09-08 14:44 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 14:44 +06 to 2021-09-08 14:59 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 14:59 +06 to 2021-09-08 15:14 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 15:14 +06 to 2021-09-08 15:29 +06: 0 / 0 hits

any one please help me

Hi @Salim_Adnan

This community forum is to help with questions and issues with the official distributions of elasticsearch and / or Elastic Cloud hosted service.

Elastalert is not part of the default Elasticsearch distribution it is 3rd party plugin so perhaps it would be better to contact that project with your questions.

In addition it Also looks like perhaps you're using AWS managed elasticsearch
which is also not part of the official elasticsearch distribution So perhaps you should visit the AWS Opensearch forum.

Of course we think the best distribution is the official distribution from elastic and perhaps you could try the new Kibana alerting framework and see if those would meet your needs.

1 Like