Hello,
do others use other alerting methods for Elastic?
I realized that the alerting system in Elastic isn't meant to pass raw data. I want to alert to notify but provide additional context/data not provided in the default alerts.
For example, if log,level: error > 0, I want to pass all the documents per host. This way the data in the alert helps provide more information on the alert, instead of just saying "error > 0" in the email body.
Hello @erikg
Totally agree with this. Elastic Watcher is way ahead of Kibana alerting by the way. You can use the data you receive from your queries and even output in pretty html with house colors. The problem is that, unfortunately, it doesn't really integrate with Elastic Security. Although in theory you could create an action which indexes an alert in the relevant siem indices.
Willem
What alert are you talking?
There are the native infrastructure alerts and there are the Security alerts, for some of them you can get the data of the document.
Third party app ElastAlert 2 may be a match for you.
Take a look: https://elastalert2.readthedocs.io/en/latest/
Hey @leandrojmp,
I am using alerts from an Observability standpoint. I am not leveraging Security Alerts.
As for the native infrastructure alerts,
I was trying to use ES Query alert because it allows you to send the raw documents. The issue is I want to group by (aggregation). So, I also leveraged Log Threshold (aggregation based) and it doesn't allow you to send raw documents.
I need a mix of both.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.