search

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch
https://elastalert.readthedocs.org
Apache License 2.0
7.97k stars 1.73k forks source link

Elastalert not querying all rules #3221

Closed zaneef closed 2 years ago

zaneef commented 2 years ago

I'm using Elastalert with Sigma rules for enabling alerting in my SIEM. I have a three nodes elasticsearch cluster. When I lauch Elastalert I can see that, in index elastalert_status_status queries are being made but, if I add them up by execution range, they never reach the total number of rules in the directory (1473). They reach a total between 1457 and 1461. It's not steady so I will exclude some rules related problem.

immagine

I decided to implement a load balancer for trying to balance the traffic between all nodes and, hopefully, constantly reaching total. Reading a previous issue ( #614 ) I saw that haproxy is recommended for this task.

My elastalert configuration looks like this:

rules_folder: /opt/elastalert/rules
run_every:
  minutes: 5
buffer_time:
  minutes: 900
es_host: <elasticsearch-node01-ip>
es_port: 9200
es_username: <username>
es_password: <password>
use_ssl: True
verify_certs: False
#ca_certs: /opt/elastalert/certs/elastalert-ca.crt
writeback_index: elastalert_status
writeback_alias: elastalert_alerts
alert_time_limit:
  days: 1

Keep in mind that this is a test enviroment. I know that this configuration will raise up some warnings realted to TLS certificates but I'm trying to resolve this issue first. (I had the same problem in a HTTP enviroment btw).

My haproxy configuration looks like this:

global
  nbthread 4
  maxconn 20480

defaults
  retries 3
  timeout connect 10s
  timeout client 30s
  timeout server 30s
  # More timeouts
  timeout http-request 10s
  timeout http-keep-alive 2s
  timeout queue 5s
  timeout tunnel 2m
  timeout client-fin 1s
  timeout server-fin 1s

frontend elasticsearch
  bind 0.0.0.0:4200
  bind 0.0.0.0:4201
  bind 0.0.0.0:4202
  mode tcp
  default_backend elasticsearch_backend

backend elasticsearch_backend
  balance roundrobin
  mode tcp
  server node01 <elasticsearch-node01-ip>:9200 check
  server node02 <elasticsearch-node02-ip>:9200 check
  server node03 <elasticsearch-node03-ip>:9200 check

Haproxy service started and I can see that localhost ports are opened and are in LISTEN mode. I already configured iptables in my Elastalert machine and firewall rules for reaching all ES nodes.

I'm executing Elastalert with the following command:

python3 -m elastalert.elastalert --config=/opt/elastalert/config.yaml --verbose

The problem is not solved and I don't know if this is something that should happen or if it's something related to a possibile error in my configuration. Some suggestions? Thanks

nsano-rururu commented 2 years ago

https://github.com/Yelp/elastalert/issues/3178

zaneef commented 2 years ago

This worked like a charm. Thank you