Hello team,
I have installed Elastalert2 and configured it with elk
i want to trigger an email alert that includes all alerts, instead of sending each alert live? Like custom rule anything?
How can i do that please help!
i have used this custom rule to trigger live email alerts
index: .ds-logs-auditd.log-default-*
type: any
filter:
- term:
event.action: "started-session"
- bool:
must_not:
term:
user.terminal: "cron"
alert:
- "email"
email:
- "***"
smtp_host: d.in
smtp_port: port
smtp_auth_file: smtp_auth.yaml
alert_subject: "Alert: Sudo Command Execution or Session Start Detected on {0}"
alert_subject_args:
- "agent.name"
alert_text: |
Alert! A sudo command execution or session start was detected:
- Timestamp: {0}
- Host: {1}
- User ID: {2}
- Username: {3}
- Event Action: {4}
- Outcome: {5}
alert_text_type: alert_text_only
alert_text_args:
- "@timestamp"
- "agent.name"
- "user.id"
- "user.name"
- "event.action"
- "event.outcome"
i was getting alert!!
So i tried modifying this rule to print the output in the file the rule looks like
cat elastalert2/custom/rules/sudo_rule_file.yaml
name: "Sudo Command Execution Alert"
type: any
index: .ds-logs-auditd.log-default-*
filter:
- term:
event.action: "started-session"
alert:
- command
command:
- "/bin/bash"
- "-c"
- "echo 'Alert! sudo command executed at {{@timestamp}} on {{agent.name}} by user {{user.id}} ({{user.name}}) with outcome: {{event.outcome}}' >> /home/sandra/sudo_alert.txt"
command_args:
- "@timestamp"
- "agent.name"
- "user.id"
- "user.name"
- "event.outcome"
alert_subject: "Alert: Sudo Command Execution Detected on {{agent.name}}"
alert_subject_args:
- "agent.name"
alert_text: |
**Alert! A sudo command was executed:**
- **Timestamp:** {{@timestamp}}
- **Host:** {{agent.name}}
- **User ID:** {{user.id}}
- **Username:** {{user.name}}
- **Outcome:** {{event.outcome}}
alert_text_type: alert_text_only
alert_text_args:
- "@timestamp"
- "agent.name"
- "user.id"
- "user.name"
- "event.outcome"
but the output was
Please help me to solve this