I have some questions in elastalert which are really making me stuck. Your help is really needed as I am in the middle of an issue. My questions are below :
I have tried by following one by one, but nothing worked.
filter:
- term:
# essage: "*INFO*"
# query: "info"
# host.name: "*IPADDRESS.us-east-2.compute.internal*"
None of the above is working.
Your question is kinda broad, so, I can only give some pointers but you probably want to run something like this:
# From rules/example_frequency.yaml
name: Immediate attention is necessary.
type: frequency
index: logstash-ming-ossec-syslog-new-*
num_events: 1
timeframe:
minutes: 10
#- query:
# query_string:
# query: 'res:failed AND op:login AND (NOT acct:root) AND (NOT acct:(unknown))'
#filter:
#- query:
# query_string:
# query: "system.log.severity: SEVERE
#or whatever makes sense with your data
filter:
- query:
query_string:
query: "alarm AND error AND (critical OR severe)"
default_field: syslog_message
alert:
- "email"
email:
- "[email protected]"
- "[email protected]"
smtp_host: "smtp.mailgun.org"
smtp_port: 25
smtp:ssl: true
from_addr: "[email protected]"
smtp_auth_file: '/opt/elastalert/smtp_auth_file.yaml'
Inspired by https://github.com/Yelp/elastalert/blob/master/example_rules/example_frequency.yaml