search

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch
https://elastalert.readthedocs.org
Apache License 2.0
8k stars 1.73k forks source link

Run the rule, when the event occurs and elastalert automatically disabled that rule #3223

Open linhthieuza opened 3 years ago

linhthieuza commented 3 years ago

I have a problem. I ran a rule list. Their rule structure is the same. However, some rules are disabled when an event occurs. While other rules work.

My rule : 

es_host: #[**Hide information***]
es_port: #[**Hide information***]
name: rule.id.204
type: frequency
index: wazuh-alerts-*
num_events: 1
timeframe:
    hours: 1
filter:
- term: 
rule.id:"204"
realert:
  minutes: 0
alert: hivealerter
hive_connection:
#[**Hide information***]
hive_alert_config:
  title: '{match[rule][description]}'
  type: 'wazuh-elastalert'
  source: 'wazuh-elastalert'
  description: '{rule[name]}'
  severity: 2
  tags: ['{rule[name]}', '{match[agent][group]}', '{match[rule][level]}']
  tlp: 3
  status: 'New'
  follow: True

hive_observable_data_mapping:
    - id: "{match[id]}"
    - ip: "{match[data][srcip]}"
    - agent_group: "{match[agent][group]}"
    - rule_description: "{match[rule][description]}"
    - agent_name: "{match[agent][name]}"
    - agent_ip: "{match[agent][ip]}"
    - full_log: "{match[full_log]}"

Status elastalert.service : Nov 17 00:50:39 elastalert-prod python3[552034]: warnings.warn( Nov 17 00:50:39 elastalert-prod python3[552034]: /usr/lib/python3/dist-packages/urllib3/connectionpool.py:999: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.0.8'. Adding certificat e verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings Nov 17 00:50:39 elastalert-prod python3[552034]: warnings.warn( Nov 17 00:50:39 elastalert-prod python3[552034]: INFO:elastalert:Ran rule.id.100016 from 2021-11-17 00:35 UTC to 2021-11-17 00:50 UTC: 0 query hits (0 already seen), 0 matches, 0 alerts sent Nov 17 00:50:42 elastalert-prod python3[552034]: INFO:elastalert:Disabled rules are: ['rule.id.40101', 'rule.id.204'] Nov 17 00:50:42 elastalert-prod python3[552034]: INFO:elastalert:Sleeping for 119.999744 seconds Nov 17 00:50:44 elastalert-prod python3[552034]: /usr/lib/python3/dist-packages/urllib3/connectionpool.py:999: InsecureRequestWarning: Unverified HTTPS request is being made to host '10.0.0.8'. Adding certificat e verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings Nov 17 00:50:44 elastalert-prod python3[552034]: warnings.warn( Nov 17 00:50:44 elastalert-prod python3[552034]: INFO:elastalert:Background configuration change check run at 2021-11-17 00:50 UTC Nov 17 00:50:44 elastalert-prod python3[552034]: INFO:elastalert:Background alerts thread 0 pending alerts sent at 2021-11-17 00:50 UTC

nsano-rururu commented 3 years ago

look https://github.com/Yelp/elastalert/issues/3178

linhthieuza commented 3 years ago

thank you.