search

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch
https://elastalert.readthedocs.org
Apache License 2.0
8k stars 1.73k forks source link

My elastalert is running normally, but I have not received any email alerts. #2000

Open MrSsunlight opened 6 years ago

MrSsunlight commented 6 years ago

Centos7.2 ELK 6.4.3 elastalert images is bitsensor/elastalert:latest

docker-compose.yml is:

version: '2' services: elastalert: image: bitsensor/elastalert container_name: elastalert user: root environment: ES_HOST: " . . . " ES_PORT: 9200 SET_CONTAINER_TIMEZONE: "true" CONTAINER_TIMEZONE: "Asia/Shanghai" ELASTALERT_HOME: /opt/elastalert RULES_DIRECTORY: /opt/elastalert/rules CONFIG_DIR: /opt/elastalert/config volumes: #挂载目录

  • ./rules:/opt/elastalert/rules
  • ./logs:/opt/elastalert/logs
  • ./config:/opt/elastalert/config
  • ./rule_templates:/opt/elastalert/rule_templates
  • ./email/smtp_auth_file.yaml:/opt/elastalert/smtp_auth_file.yaml ports:
  • 3030:3030 networks:
  • eanet

networks: eanet:

my rule file is:

name: email test type: frequency

timeframe: minutes: 1 num_events: 2

index: udp* doc_type: "syslog" timestamp_field: "@timestamp"

filter:

  • term: message: ".*"
  • term: _type: "syslog"

smtp_host: mail.topsec.com.cn

smtp_port: 993

alert_subject: "email alert test" alert_text_type: alert_text_only alert_text: "this is----alert test"

alert:

  • "email" email:
  • "****@163.com"

the test rules result is:

Console output Successfully loaded web request status

Would have written the following documents to writeback index (default is elastalert_status):

elastalert_status - {'hits': 0, 'matches': 0, '@timestamp': datetime.datetime(2018, 11, 16, 9, 16, 30, 215617, tzinfo=tzutc()), 'rule_name': 'email test', 'starttime': datetime.datetime(2018, 11, 15, 9, 16, 22, 34332, tzinfo=tzutc()), 'endtime': datetime.datetime(2018, 11, 16, 9, 16, 22, 34332, tzinfo=tzutc()), 'time_taken': 8.16339898109436}

My elastalert is running normally, but I have not received any email alerts. How can I debug? How to view the log of smtp server, where is it located?

zayalaksme commented 5 years ago

add below lines to end of the rules, add " - " symbol before debug & email in below (2nd & 3rd Line)

alert: debug email email:

in same rules folder create a new yaml file and name it as "smtp_auth_file.yaml". And username and password of sending mail as shown in below format.

user: "xxxxx@gmail.com" password: "password"

Qmando commented 5 years ago

You ran the test and got 0 hits. That's probably because you have 

- term:
     message: ".*"

term filter does not work with regex. Just remove it. See https://www.elastic.co/guide/en/elasticsearch/reference/6.4/query-dsl-term-filter.html.

If ElastAlert actually tries to send an email, you'll see Sending email to [....] in the logs.

"How to view the log of smtp server, where is it located?" The SMTP server is mail.topsec.com.cn or if you leave it commented out, it will try localhost. If there's an error in connecting to the server you should see that in the logs too.