opsgenie_alias does not accept dict fields

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch

https://elastalert.readthedocs.org

Apache License 2.0

8k stars 1.74k forks source link

opsgenie_alias does not accept dict fields #2288

Open invizus opened 5 years ago

invizus commented 5 years ago

I send logs to elasticsearch with filebeat system module (version 6.4). Am I correct to understand that opsgenie_alias it will check fields in downloaded document? The field I need for opsgenie_alias to check is system.syslog.hostname. However elastalert will only understand fields without dots (tested).

From my rule:

type: any
index: filebeat-*
timeframe:
    minutes: 2
filter:
- term:
    system.auth.program: "syslogtag"
alert:
- "opsgenie"
opsgenie_alias: "syslogtag {system.syslog.hostname}"

Error I get:

   File "/usr/local/lib/python2.7/dist-packages/elastalert/opsgenie.py", line 92, in alert
     post['alias'] = self.alias.format(**matches[0])
 AttributeError: 'dict' object has no attribute 'syslog'

I tried or opsgenie_alias: "syslogtag {hostname}", error:

File "/usr/local/lib/python2.7/dist-packages/elastalert/opsgenie.py", line 92, in alert
post['alias'] = self.alias.format(**matches[0])
KeyError: 'hostname'

invizus commented 5 years ago

Someone suggested to use python dict but it still does not work.

opsgenie_alias: {system["syslog"]["hostname"]}

klaatu51 commented 5 years ago

I have the same problem trying to set a custom message as documented here https://elastalert.readthedocs.io/en/latest/ruletypes.html#opsgenie.

opsgenie_message: "New party created for {e.Properties.TenantId}"

  File "/opt/elastalert/elastalert/elastalert.py", line 1341, in alert
    return self.send_alert(matches, rule, alert_time=alert_time, retried=retried)
  File "/opt/elastalert/elastalert/elastalert.py", line 1430, in send_alert
    alert.alert(matches)
  File "/opt/elastalert/elastalert/opsgenie.py", line 71, in alert
    self.message = self.custom_message.format(**matches[0])
AttributeError: 'dict' object has no attribute 'Properties'

piellick commented 5 years ago

hi eveyrone, have you founded a workharound ?

oownus commented 4 years ago

@invizus maybe something like this? opsgenie_alias: "syslogtag {system[syslog.hostname]}"

I had to debug it a bit, but it seems like the match dictionary only goes down one level.

e.g.

[{
     ...
    'output': {
        'fd.name': '/root/.ssh/authorized_keys',
        'proc.pname': 'python2',
        'container.image.repository': 'us.gcr.io/xxxx',

invizus commented 4 years ago

I do not think that helped. I am on latest version.

oownus commented 4 years ago

Try printing out the values and see what it looks like

Insert elastalert_logger.info(matches) before this code: https://github.com/Yelp/elastalert/blob/master/elastalert/elastalert.py#L1545

I noticed it was differently structured for each case.