--------------my config.yaml------------
This is the folder that contains the rule yaml files
Any .yaml file will be loaded as a rule
rules_folder: example_rules
How often ElastAlert will query Elasticsearch
The unit can be anything from weeks to seconds
run_every:
minutes: 1
ElastAlert will buffer results from the most recent
period of time, in case some log sources are not in real time
buffer_time:
minutes: 15
The Elasticsearch hostname for metadata writeback
Note that every rule can have its own Elasticsearch host
es_host: 192.168.3.98
The Elasticsearch port
es_port: 9200
The AWS region to use. Set this when using AWS-managed elasticsearch
#aws_region: us-east-1
The AWS profile to use. Use this if you are using an aws-cli profile.
See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
for details
#profile: test
Optional URL prefix for Elasticsearch
#es_url_prefix: elasticsearch
Connect with TLS to Elasticsearch
use_ssl: true
#Verify TLS certificates
#verify_certs: false
GET request with body is the default option for Elasticsearch.
If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
for details
#es_send_get_body_as: GET
Option basic-auth username and password for Elasticsearch
es_username: elastic
es_password: Mypasword
Use SSL authentication with client certificates client_cert must be
a pem file containing both cert and key for client
verify_certs: true
ca_certs: /etc/ca-certificates/ca.crt
#client_cert: /path/to/client_cert.pem
#client_key: /home/aspire/master/master.key
The index on es_host which is used for metadata storage
This can be a unmapped index, but it is recommended that you run
elastalert-create-index to set a mapping
writeback_index: elastalert_status
writeback_alias: elastalert_alerts
If an alert fails for some reason, ElastAlert will retry
sending the alert until this time period has elapsed
alert_time_limit:
days: 2
-------- my rules--------
--lnx_file_or_folder_permissions.yaml--
name: file_or_folder_permissions_change_0
description: Detects file and folder permission changes
index: auditbeat-*
priority: 4
realert:
minutes: 0
filter:
- query_string:
query: (a0:( chmod OR chown ) AND type:"EXECVE")
type: any
alert: - debug
-------result show--------
elastalert-test-rule --config config.yaml example_rules/lnx_file_or_folder_permissions.yaml
INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
To send them but remain verbose, use --verbose instead.
Didn't get any results.
INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
To send them but remain verbose, use --verbose instead.
1 rules loaded
INFO:apscheduler.scheduler:Adding job tentatively -- it will be properly scheduled when the scheduler starts
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 11:14 +06 to 2021-09-08 11:29 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 11:29 +06 to 2021-09-08 11:44 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 11:44 +06 to 2021-09-08 11:59 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 11:59 +06 to 2021-09-08 12:14 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 12:14 +06 to 2021-09-08 12:29 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 12:29 +06 to 2021-09-08 12:44 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 12:44 +06 to 2021-09-08 12:59 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 12:59 +06 to 2021-09-08 13:14 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 13:14 +06 to 2021-09-08 13:29 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 13:29 +06 to 2021-09-08 13:44 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 13:44 +06 to 2021-09-08 13:59 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 13:59 +06 to 2021-09-08 14:14 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 14:14 +06 to 2021-09-08 14:29 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 14:29 +06 to 2021-09-08 14:44 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 14:44 +06 to 2021-09-08 14:59 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 14:59 +06 to 2021-09-08 15:14 +06: 0 / 0 hits
INFO:elastalert:Queried rule file_or_folder_permissions_change_0 from 2021-09-08 15:14 +06 to 2021-09-08 15:29 +06: 0 / 0 hits