search

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch
https://elastalert.readthedocs.org
Apache License 2.0
7.99k stars 1.73k forks source link

Issues with installation of Elastalert 0.1.39 #2198

Open dasa4 opened 5 years ago

dasa4 commented 5 years ago

I was upgrading the elastalert from 0.1.29 to 0.1.39 and the installation is facing issues.

File "elastalert/alerts.py", line 32, in from thehive4py.api import TheHiveApi ImportError: No module named thehive4py.api

The previous version did not rquire the same. I have already Python 2.7 installed

Qmando commented 5 years ago

pip install thehive4py

dasa4 commented 5 years ago

I have installed thehive4py, python magic and futurize..now the below error is coming while trying to start elastalert

File "elastalert/alerts.py", line 32, in from thehive4py.api import TheHiveApi File "build/bdist.linux-x86_64/egg/thehive4py/api.py", line 7, in File "build/bdist.linux-x86_64/egg/magic.py", line 293, in File "/app01/sw/Python-2.7.13/lib/python2.7/ctypes/init.py", line 375, in getattr func = self.getitem(name) File "/app01/sw/Python-2.7.13/lib/python2.7/ctypes/init.py", line 380, in getitem func = self._FuncPtr((name_or_ordinal, self)) AttributeError: /usr/lib64/libmagic.so.1: undefined symbol: magic_setparam

I am using Python 2.7.13 .

Qmando commented 5 years ago

Are you using RHEL? I'm seeing lots of reports of this problem from Google but not many good answers. You're probably best off just deleting that import line from alerts.py.

dasa4 commented 5 years ago

Hey,

can you please specifically tell me which import line to remove from alerts.py

Qmando commented 5 years ago

⬇️ 

File "elastalert/alerts.py", line 32, in
from thehive4py.api import TheHiveApi
ImportError: No module named thehive4py.api

⬆️

dasa4 commented 5 years ago

This is the log I get when I comment out the import part.

INFO:elastalert:Starting up INFO:elastalert:Queried rule OSB spike from 2019-04-12 03:29 EDT to 2019-04-12 03:34 EDT: 0 / 0 hits WARNING:elasticsearch:POST http://anvla340n.adr.valueaddco.com:5020/elastalert_status_status/elastalert_status [status:403 request:0.003s] ERROR:root:Error writing alert info to Elasticsearch: TransportError(403, u'cluster_block_exception', u'blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];') Traceback (most recent call last): File "/app01/sw/elastalert-master/elastalert/elastalert.py", line 1500, in writeback doc_type=doc_type, body=body) File "/app01/sw/Python-2.7.13/lib/python2.7/site-packages/elasticsearch-6.2.0-py2.7.egg/elasticsearch/client/utils.py", line 76, in _wrapped return func(*args, params=params, **kwargs) File "/app01/sw/Python-2.7.13/lib/python2.7/site-packages/elasticsearch-6.2.0-py2.7.egg/elasticsearch/client/init.py", line 319, in index _make_path(index, doc_type, id), params=params, body=body) File "/app01/sw/Python-2.7.13/lib/python2.7/site-packages/elasticsearch-6.2.0-py2.7.egg/elasticsearch/transport.py", line 314, in perform_request status, headers_response, data = connection.perform_request(method, url, params, body, headers=headers, ignore=ignore, timeout=timeout) File "/app01/sw/Python-2.7.13/lib/python2.7/site-packages/elasticsearch-6.2.0-py2.7.egg/elasticsearch/connection/http_requests.py", line 90, in perform_request self._raise_error(response.status_code, raw_data) File "/app01/sw/Python-2.7.13/lib/python2.7/site-packages/elasticsearch-6.2.0-py2.7.egg/elasticsearch/connection/base.py", line 125, in _raise_error raise HTTP_EXCEPTIONS.get(status_code, TransportError)(status_code, error_message, additional_info) AuthorizationException: TransportError(403, u'cluster_block_exception', u'blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];') INFO:elastalert:Ran OSB spike from 2019-04-12 03:29 EDT to 2019-04-12 03:34 EDT: 0 query hits (0 already seen), 0 matches, 0 alerts sent INFO:elastalert:Sleeping for 299.930235 seconds

dasa4 commented 5 years ago

THE BIGGEST PROBLEM i faced is with email_from_field . I am using email_from_field to send email to multiple recipients. Below is the excerpt from my rule :

match_enhancements:
- "elastalert_modules.osb_alert_enhancements.AlertParameterLookUp"

alert: email
email: "PITECGatewayTeam@arconic.com"
email_from_field: "osb_recipient_email"
cc: "PITECGatewayTeam@arconic.com"
email_reply_to: "PITECGatewayTeam@arconic.com"
from_addr: "OSB12cTest@arconic.com"
alert_subject: "OSB ({0}) - Error Notification : {1} | {2}"
alert_subject_args:

elastalert_modules.osb_alert_enhancements.AlertParameterLookUp is my enhancement from where osb_recipient_email is being fetched. The enhancement excerpt is below.

def fetch_lookup_value(file_name_location,search_key,search_value,result_key,default_value):
    result_value=default_value
    try:
        input_file = csv.DictReader(open(file_name_location))
        for row in input_file:
            search_result = row[search_key]
            if search_result==search_value:
                result_value = row[result_key]
                break

    except:
        type_, value_, traceback_ = sys.exc_info()
        tracestr=traceback.format_exception(type_, value_, traceback_)
        #In case of error, print trace info into a string
        logger.error('An Error Occured while fetching value from CSV file, TRACE=%s',tracestr)

    finally:
        return result_value
Qmando commented 5 years ago

What is your problem? Does osb_recipient_email get populated in the alert but email_from_field doesn't work? Does it not get populated at all? If not, is your enhancement throwing errors?