search

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch
https://elastalert.readthedocs.org
Apache License 2.0
7.98k stars 1.73k forks source link

alert for not receiving log #2627

Open ghlilou97 opened 4 years ago

ghlilou97 commented 4 years ago

Hello i want to know if there is any way to make rule for not receiving or stop receiving log from any machine ?

aalgelis commented 4 years ago

Take a look at my rule:

Alert when the total number of events is under a given threshold for a time period

(Optional)
# Elasticsearch host
# es_host: elasticsearch.example.com

# (Optional)
# Elasticsearch port
# es_port: 14900

# (Optional) Connect with SSL to Elasticsearch
#use_ssl: True

# (Optional) basic-auth username and password for elasticsearch
#es_username: someusername
#es_password: somepassword

# (Required)
# Rule name, must be unique
name: No events from Endpoint

# (Required)
# Type of alert.
# the change rule will alert when a certain field changes in two documents within a timeframe
type: flatline

# (Required)
# Index to search, wildcard supported
index: endpoint-*

# (Required)
# The minimum number of events for an alert not to be triggered.
threshold: 1

# (Optional)
# An alert will be triggered if any value of query_key has been seen at least once and then falls below the threshold.
query_key: endpoint.hostname

# (Required if query_key is used)
# ElastAlert will "forget" about the query_key value that triggers an alert, therefore preventing any more alerts for it until it's seen again
forget_keys: true

# (Required, change specific)
# The time period that must contain less than threshold events.
timeframe:
  minutes: 10

# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
# Filter removes computerized workplaces with agents installed
filter:
- query:
    query_string:
      query: "endpoint.hostname: endpoint1"

# (Required)
# The alert is use when a match is found
alert:
- "email"
from_addr: "send@alert.com"
alert_subject_args:
- "key"
- "@timestamp"
alert_subject: "Alert: {0} stopped sending auditbeat events {1}"
smtp_host: "8.8.8.8"

# (required, email specific)
# a list of email addresses to send alerts
email:
- "receive@alert.com"