elastalert copied to clipboard
How to see if the alerts are really working?
I am trying to make this plugin working. I wrote a very simple frequency rule and I am trying the sample cpu spike rule too.
When I test the cpu spike rule, it writes "Got 8542 hits from the last 1 day" but in the end I have
elastalert_status - {'hits': 0, 'matches': 0, '
Maybe it's not written correctly, so I skipped it.
When I test the frequency rule, I do have 958 hits and 90 matches. If I'm not wrong I'm supposed to receive at least 1 alert but I never did.
I tried 3 different alert types.
The debug, but I'm not really sure where is the console where it's supposed to write but I assume it's the docker where it also writes things like "08:20:03.620Z INFO elastalert-server: Routes: Successfully handled GET request for '/rules/:id'." but there is nothing.
The email. I have set it up like this :
- "email"
- "[email protected]"
smtp_host: "smtp.gmail.com”
smtp_port: 465
smtp_ssl: true
from_addr: "[email protected]"
smtp_auth_file: "/etc/elasticsearch/smtp_auth.yaml"
Inside the smtp_auth.yaml :
user: "[email protected]"
password: "mypassword"
But I never received a mail. I'm behind a proxy and I think never configured elastalert for it so maybe that's the reason, but I never saw an error in the console either.
- I tried to write the alert into a text file like this :
- "command"
command: ["tee", "-a", "/opt/elastalert/alert.txt"]
pipe_match_json: true
But the file is still empty.
I'm probably doing something wrong and I need your help. If you need more info feel free to ask.
what is your conditions looks like?
Here is the beginning of my rule.
type: frequency
# (Required)
# Index to search, wildcard supported
index: logstash*
# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
num_events: 10
# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
minutes: 2
# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter: []
This is my sample CPU Spike rule to send an email alert if cpu usage hit more than 30% for 1 minute.
name: Metricbeat CPU Spike Rule
type: metric_aggregation
index: metricbeat-*
minutes: 1
metric_agg_key: system.cpu.total.pct
metric_agg_type: max
query_key: beat.hostname
doc_type: doc
minutes: 1
sync_bucket_interval: true
#allow_buffer_time_overlap: true
#use_run_every_query_size: true
min_threshold: 0.0
max_threshold: 0.3
- term:
metricset.name: cpu
- "email"
- "[email protected]"
smtp_host: "smtp.example.com"
smtp_port: "465"
smtp_ssl : "true"
from_addr: "[email protected]"
smtp_auth_file: "/tmp/elastalert/smtp_auth.yaml"
How you are testing your rules?
Hi and sorry for the late answer.
To test rules, first I check is the rule has hits and matches. Then I recreate the conditions to get hits and matches and wait to receive an email or something but nothing.
I found that when I start the docker I have this message : "ProcessController: IOError: [Errno 2] No such file or directory: '/tmp/elastalert/smtp_auth.yaml'", do you know how to fix it ? I don't know where the debug alerter's messages are supposed to be written too.