I'm using Elastalert with Sigma rules for enabling alerting in my SIEM.
I have a three nodes elasticsearch cluster.
When I lauch Elastalert I can see that, in index elastalert_status_status queries are being made but, if I add them up by execution range, they never reach the total number of rules in the directory (1473).
They reach a total between 1457 and 1461. It's not steady so I will exclude some rules related problem.
I decided to implement a load balancer for trying to balance the traffic between all nodes and, hopefully, constantly reaching total.
Reading a previous issue ( #614 ) I saw that haproxy is recommended for this task.
Keep in mind that this is a test enviroment. I know that this configuration will raise up some warnings realted to TLS certificates but I'm trying to resolve this issue first. (I had the same problem in a HTTP enviroment btw).
Haproxy service started and I can see that localhost ports are opened and are in LISTEN mode.
I already configured iptables in my Elastalert machine and firewall rules for reaching all ES nodes.
I'm executing Elastalert with the following command:
The problem is not solved and I don't know if this is something that should happen or if it's something related to a possibile error in my configuration.
Some suggestions? Thanks
I'm using Elastalert with Sigma rules for enabling alerting in my SIEM. I have a three nodes elasticsearch cluster. When I lauch Elastalert I can see that, in index
elastalert_status_status
queries are being made but, if I add them up by execution range, they never reach the total number of rules in the directory (1473). They reach a total between 1457 and 1461. It's not steady so I will exclude some rules related problem.I decided to implement a load balancer for trying to balance the traffic between all nodes and, hopefully, constantly reaching total. Reading a previous issue ( #614 ) I saw that haproxy is recommended for this task.
My elastalert configuration looks like this:
Keep in mind that this is a test enviroment. I know that this configuration will raise up some warnings realted to TLS certificates but I'm trying to resolve this issue first. (I had the same problem in a HTTP enviroment btw).
My haproxy configuration looks like this:
Haproxy service started and I can see that localhost ports are opened and are in LISTEN mode. I already configured iptables in my Elastalert machine and firewall rules for reaching all ES nodes.
I'm executing Elastalert with the following command:
The problem is not solved and I don't know if this is something that should happen or if it's something related to a possibile error in my configuration. Some suggestions? Thanks