Need help on elastic search


(Vilas ) #1

I have setup ELK environment. Installed filebeat on few servers and installed logstash on separate single server -10-192-4-253. I have setup Elastalert configuration in logstash server. Below is "/example_frequency.yaml" at "/opt/logstash/python/elastalert" location

type: frequency
index: logstash-*
num_events: 50
timeframe:
hours: 4
filter:

  • term:
    type: "stdout"
    alert:
  • "email"
    alert_text: |
    "ElastAlert has detected suspicious activity for {0} < b>ElastAlert has detected suspicious activity for {0}< /b>"
    At {1}, an {2} error occured. Do something about it!

alert_text_args:

  • email
  • host
  • type
    email:

In the alert mail I am also getting the json code as follow

"ElastAlert has detected suspicious activity for < b>ElastAlert has detected suspicious activity for < /b>"
At ip-10-169-1-48.ec2.internal, an stdout error occured. Do something about it!

At least 50 events occurred between 2016-05-05 03:36 EDT and 2016-05-05 07:36 EDT

(following is json code)
@timestamp: 2016-05-05T11:36:32.022Z
@version: 1
id: AVSAtIJ5Ydfq7dPgGSL
_index: logstash-2016.05.05
_type: stdout
beat: {
"hostname": "ip-10-169-1-48.ec2.internal",
"name": "ip-10-169-1-48.ec2.internal"
}
count: 1
fields: {
"environment": "NA-DEV",
"platform": "RSDMT"
}
host: ip-10-169-1-48.ec2.internal
input_type: log
message: 07:36:29,391 |-INFO in ch.qos.logback.core.joran.action.AppenderAction - About to instantiate appender of type [ch.qos.logback.core.rolling.RollingFileAppender]
offset: 510957
source: /opt/tomcat/logs/stdout.log
tags: [
"beats_input_codec_plain_applied"
]
type: stdout

How do I need to omit above json code from alert mail. Please suggest.


(Mark Walkom) #2

Please do not cross post - Need help on Elastalert


(Mark Walkom) #3