I have setup ELK environment. Installed filebeat on few servers and installed logstash on separate single server -10-192-4-253. I have setup Elastalert configuration in logstash server. Below is "/example_frequency.yaml" at "/opt/logstash/python/elastalert" location
type: frequency
index: logstash-*
num_events: 50
timeframe:
hours: 4
filter:
- term:
type: "stdout"
alert: - "email"
alert_text: |
"ElastAlert has detected suspicious activity for {0} < b>ElastAlert has detected suspicious activity for {0}< /b>"
At {1}, an {2} error occured. Do something about it!
alert_text_args:
- host
- type
email:
In the alert mail I am also getting the json code as follow
"ElastAlert has detected suspicious activity for < b>ElastAlert has detected suspicious activity for < /b>"
At ip-10-169-1-48.ec2.internal, an stdout error occured. Do something about it!
At least 50 events occurred between 2016-05-05 03:36 EDT and 2016-05-05 07:36 EDT
(following is json code)
@timestamp: 2016-05-05T11:36:32.022Z
@version: 1
id: AVSAtIJ5Ydfq7dPgGSL
_index: logstash-2016.05.05
_type: stdout
beat: {
"hostname": "ip-10-169-1-48.ec2.internal",
"name": "ip-10-169-1-48.ec2.internal"
}
count: 1
fields: {
"environment": "NA-DEV",
"platform": "RSDMT"
}
host: ip-10-169-1-48.ec2.internal
input_type: log
message: 07:36:29,391 |-INFO in ch.qos.logback.core.joran.action.AppenderAction - About to instantiate appender of type [ch.qos.logback.core.rolling.RollingFileAppender]
offset: 510957
source: /opt/tomcat/logs/stdout.log
tags: [
"beats_input_codec_plain_applied"
]
type: stdout
How do I need to omit above json code from alert mail. Please suggest.