i created a rule yaml file, when i test the rule i got zero hits. But actually same term query giving me results it elasticsearch. Why i got hits zero ??

[Demantel2016]

i created a rule yaml file, when i test the rule i got zero hits. But actually same term query giving me results it elasticsearch. Why i got hits zero ??

My rule as below

name: frequency_rule

type: frequency

index: firewall1

num_events: 5

timeframe:
  hours: 8
filter:
- term:
    host.keyword : "azure"

alert:
- email

email:
- "to_email@gmail.com" 
smtp_host: "smtp.gmail.com" 
smtp_port: 465
smtp_ssl: true
from_addr: "from_email@gmail.com"

user: "from_email@gmail.com"
password: "my_password"

I didnt get any error command line message as below

PS C:\Users\force-2ndPC\Downloads\elastalert-master> elastalert-test-rule alert_rules/frequency.yaml Successfully loaded frequency_rule

INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent. To send them but remain verbose, use --verbose instead. INFO:elastalert:Queried rule frequency_rule from 2017-11-16 09:51 Central Standard Time to 2017-11-16 13:51 Central Standard Time: 0 / 0 hits INFO:elastalert:Queried rule frequency_rule from 2017-11-16 13:51 Central Standard Time to 2017-11-16 17:51 Central Standard Time: 0 / 0 hits INFO:elastalert:Queried rule frequency_rule from 2017-11-16 17:51 Central Standard Time to 2017-11-16 21:51 Central Standard Time: 0 / 0 hits INFO:elastalert:Queried rule frequency_rule from 2017-11-16 21:51 Central Standard Time to 2017-11-17 01:51 Central Standard Time: 0 / 0 hits INFO:elastalert:Queried rule frequency_rule from 2017-11-17 01:51 Central Standard Time to 2017-11-17 05:51 Central Standard Time: 0 / 0 hits INFO:elastalert:Queried rule frequency_rule from 2017-11-17 05:51 Central Standard Time to 2017-11-17 09:51 Central Standard Time: 0 / 0 hits

Would have written the following documents to writeback index (default is elastalert_status):

elastalert_status - {'hits': 0, 'matches': 0, '@timestamp': datetime.datetime(2017, 11, 17, 15, 51, 41, 782000, tzinfo=tzutc()), 'rule_name': 'frequency_rule', 'starttime': datetime.datetime(2

[Qmando]

Perhaps show an example document with a matching @timestamp, index, and a matching "azure" host.

[Demantel2016]

I solved it. Now i got gmail authentication error. my config and errormessage as below I already allowed less secure apps in gmail. sending email from java working fine

email:

• "to_address@gmail.com"
  smtp_host: "smtp.gmail.com" smtp_port: "465"
  smtp_ssl: true from_addr: "from_address@gmail.com" user: "from_address@gmail.com" password: "password"

PS C:\Users\smiforce-2ndPC\Downloads\Compressed\elastalert-master\elastalert-master> python -m elastalert.elastalert --verbose --config ./config.yaml --rule ./alert_rules/frequency4.yaml INFO:elastalert:Starting up INFO:elastalert:Queried rule frequency_rule4 from 2017-11-20 09:48 Central Standard Time to 2017-11-21 09:48 Central Standard Time: 24 / 24 hits ERROR:root:Traceback (most recent call last): File "C:\Users\smiforce-2ndPC\Downloads\Compressed\elastalert-master\elastalert-master\elastalert\elastalert.py", line 1246, in alert return self.send_alert(matches, rule, alert_time=alert_time, retried=retried) File "C:\Users\smiforce-2ndPC\Downloads\Compressed\elastalert-master\elastalert-master\elastalert\elastalert.py", line 1326, in send_alert alert.alert(matches) File "elastalert\alerts.py", line 451, in alert self.smtp.sendmail(self.from_addr, to_addr, email_msg.as_string()) File "C:\Python27\lib\smtplib.py", line 737, in sendmail raise SMTPSenderRefused(code, resp, from_addr) SMTPSenderRefused: (530, '5.5.1 Authentication Required. Learn more at\n5.5.1 https://support.google.com/mail/?p=WantAuthError l4sm636961ioc.69 - gsmtp', 'test@gmail.com')

ERROR:root:Uncaught exception running rule frequency_rule4: (530, '5.5.1 Authentication Required. Learn more at\n5.5.1 https://support.google.com/mail/?p=WantAuthError l4sm636961ioc.69 - gsmt