Need help on elastalert configuration

Elastic Stack Elasticsearch
1

I have setup an ELK such as installed filebeat on target hosts and configured 1 centralised logstash server. Created an Elastic search domain and given the domain url in logstash conf file. Also I have setup an Elastalert in same logstash server to send me mail when certain error text is matched. Below is elastalert conf file

(Required)

Index to search, wildcard supported

index: logstash-*

(Required, frequency specific)

Alert when this many documents matching the query occur within a timeframe

num_events: 1

(Required, frequency specific)

num_events must occur within this amount of time to trigger an alert

timeframe:
hours: 4

A list of elasticsearch filters used for find events

These filters are joined with AND and nested in a filtered query

For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html

alert_text_type: alert_text_only

filter:

  • query:
    query_string:
    query: "Invalid Password"

(Required)

The alert is use when a match is found

alert:

  • "email"

alert_text: |
ElastAlert has detected suspicious activity for {0}.
At {1}, an {2} error occured under {3} path. {4}. Do something about it!

alert_text_args:

  • email
  • host
  • type
  • source
  • message

(required, email specific)

a list of email addresses to send alerts to

email:

the issue is the email I am getting has other irrelevant info in it. Below is email

(Required)

Index to search, wildcard supported

index: logstash-*

(Required, frequency specific)

Alert when this many documents matching the query occur within a timeframe

num_events: 1

(Required, frequency specific)

num_events must occur within this amount of time to trigger an alert

timeframe:
hours: 4

A list of elasticsearch filters used for find events

These filters are joined with AND and nested in a filtered query

For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html

alert_text_type: alert_text_only

filter:

  • query:
    query_string:
    query: "Invalid Password"

(Required)

The alert is use when a match is found

alert:

  • "email"

alert_text: |
ElastAlert has detected suspicious activity for {0}.
At {1}, an {2} error occured under {3} path. {4}. Do something about it!

alert_text_args:

  • email
  • host
  • type
  • source
  • message

(required, email specific)

a list of email addresses to send alerts to

email:

Please let me know how would I remove the irrelevant data from mail.

2

You may need to ask the elastalert authors directly. I don't believe they hang out on these forums