Logstash email alerts

hiba · June 9, 2020, 9:26pm

Hi,
I'm trying to configure logstash to send mail . But it seems doesn't work.
my config file :
input {
http_poller {
urls => {
url => "xxxl"
}
request_timeout => 60
schedule => { every => "60s" }
codec => "json"
}
}
filter {
split { field => "[bookings]" }
split { field => "[bookings][rooms]" }
mutate {
rename => {
"[bookings][bookingId]" => "bookingId"
"[bookings][status]" => "status"
"[bookings][hotelId]" => "hotelId"
"[bookings][hotelName]" => "hotelName"
"[bookings][hotelCity]" => "hotelCity"
"[bookings][hotelCountry]" => "hotelCountry"
"[bookings][arrDate]" => "arrDate"
"[bookings][depDate]" => "depDate"
"[bookings][price]" => "price"
"[bookings][currency]" => "currency"
"[bookings][purchasePrice]" => "purchasePrice"
"[bookings][partnerName]" => "partnerName"
"[bookings][partnerId]" => "partnerId"
"[bookings][firstName]" => "firstName"
"[bookings][lastName]" => "lastName"
"[bookings][channel]" => "channel"
"[bookings][supplierName]" => "supplierName"
"[bookings][rooms][board]" => "board"
"[bookings][rooms][paxes][adults]" => "adults"
"[bookings][rooms][paxes][infant]" => "infant"
"[bookings][rooms][paxes][children]" => "children"
"[bookings][rooms][quantity]" => "quantity"
"[bookings][rooms][room]" => "room"
}
remove_field => ["confirmedDate", "bookingRef", "bookings", "createdDate", "hotelAddress", "hotelPhonearrDate", "customerId", "title", "email", "city", "mobile", "supplierId","paxe", "payments", "options", "isXML"]
}
}
output {
elasticsearch {
hosts => "localhost:9200"
index => "bookingstest"
action => "update"
doc_as_upsert => "true"
document_id => "%{bookingId}"
}
if [http_poller_metadata][code] != 200 {
stdout {
email {
from => ""logstash.alert@example.com""
subject => "logstash alert"
to => "test@gmail.com"
via => "smtp"
body => "Here is the event line that occured"
}
}
}
stdout { codec => rubydebug }
}

i use ELK 7.7.0

please what are the steps to receive the mail.

Badger · June 9, 2020, 10:32pm

The default metadata target for http_poller is @metadata, not http_poller_metadata, so that field will not exist.

Also, I would expect logstash not to start if you try to nest an email output inside a stdout output.

hiba · June 10, 2020, 1:30pm

i get this error:

[2020-06-10T15:28:51,205][WARN ][logstash.outputs.elasticsearch][main] Attempted to resurrect connection to dead ES instance, but got an error. {:url=>"http://localhost:9200/", :error_type=>LogStash::Outputs::ElasticSearch::HttpClient::Pool::BadResponseCodeError, :error=>"Got response code '401' contacting Elasticsearch at URL 'http://localhost:9200/'"}

i change the config file :

output {
if [@metadata][code] == 200 {
elasticsearch {
hosts => "localhost:9200"
index => "bookingstest"
action => "update"
doc_as_upsert => "true"
document_id => "%{bookingId}"
}
}
else {
email {
from => "logstash.alert@nowhere.com"
subject => "logstash alert"
to => "xxxx"
via => "smtp"
body => "Here is the event line that occured:{message}"
}
}

stdout { codec => rubydebug }
}

Badger · June 10, 2020, 5:28pm

If you are getting a 401 (unauthorized) error when connecting to elasticsearch then I suspect you need to set the user and password options on the output.

system · July 8, 2020, 5:34pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.