Open ghlilou97 opened 4 years ago
Take a look at my rule:
Alert when the total number of events is under a given threshold for a time period
(Optional)
# Elasticsearch host
# es_host: elasticsearch.example.com
# (Optional)
# Elasticsearch port
# es_port: 14900
# (Optional) Connect with SSL to Elasticsearch
#use_ssl: True
# (Optional) basic-auth username and password for elasticsearch
#es_username: someusername
#es_password: somepassword
# (Required)
# Rule name, must be unique
name: No events from Endpoint
# (Required)
# Type of alert.
# the change rule will alert when a certain field changes in two documents within a timeframe
type: flatline
# (Required)
# Index to search, wildcard supported
index: endpoint-*
# (Required)
# The minimum number of events for an alert not to be triggered.
threshold: 1
# (Optional)
# An alert will be triggered if any value of query_key has been seen at least once and then falls below the threshold.
query_key: endpoint.hostname
# (Required if query_key is used)
# ElastAlert will "forget" about the query_key value that triggers an alert, therefore preventing any more alerts for it until it's seen again
forget_keys: true
# (Required, change specific)
# The time period that must contain less than threshold events.
timeframe:
minutes: 10
# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
# Filter removes computerized workplaces with agents installed
filter:
- query:
query_string:
query: "endpoint.hostname: endpoint1"
# (Required)
# The alert is use when a match is found
alert:
- "email"
from_addr: "send@alert.com"
alert_subject_args:
- "key"
- "@timestamp"
alert_subject: "Alert: {0} stopped sending auditbeat events {1}"
smtp_host: "8.8.8.8"
# (required, email specific)
# a list of email addresses to send alerts
email:
- "receive@alert.com"
Hello i want to know if there is any way to make rule for not receiving or stop receiving log from any machine ?