praeco icon indicating copy to clipboard operation
praeco copied to clipboard

Published 20 hours ago verified publisher icon johnsusek

Add support for no Destination

Open KevSex opened this issue 5 years ago • 2 comments

It would be good if there was an option for no destination and only to add the alert to the praeco index.

I'd like to be able to create a rule that would trigger an event to the praeco_elastalert_status index but no other action taken (i.e. no email, slack or http trigger). This will allow for a follow-up rule to look for the 'trigger' event(s) and allow for further correlation between events.

The only option for this that I could see from ElastAlert documentation is to implement the command alert option and just echo to /dev/null Not sure if there is an alternative that can be achieved here without the need for the echo command?

KevSex avatar May 13 '19 16:05 KevSex

There is a "Debug" alert type that just outputs to stdout but doesn't actually send alerts to any service. I can add that as an alert type, it might do what you want

johnsusek avatar May 13 '19 16:05 johnsusek

Ah awesome! I don't know if that still adds the event to the elastalert index though or is it purely just to output to python logger with no event indexed?

KevSex avatar May 13 '19 23:05 KevSex