search

Yelp / elastalert

Easy & Flexible Alerting With ElasticSearch
https://elastalert.readthedocs.org
Apache License 2.0
7.97k stars 1.73k forks source link

Rule query is not accurate #3228

Closed ktpktr0 closed 2 years ago

ktpktr0 commented 2 years ago

I use the following expression to query the log error, but it will alarm as long as it meets one of the keywords. Using "and" or "at the same time does not take effect

name: for test
type: frequency
index: test-*
num_events: 10
timeframe:
  minutes: 2
realert:
  minutes: 5
filter:
- query:
    query_string:
      query: "DB ERROR"

use and

name: for test
type: frequency
index: test-*
num_events: 10
timeframe:
  minutes: 2
realert:
  minutes: 5
filter:
- query:
    query_string:
#      query: "message: DB ERROR"
      query: "message: DB ERROR AND Error Content = query time out"

When "dB / DB" or "error / error" appears in the log, an alarm will be given

nsano-rururu commented 2 years ago

Please do not write an issue as this repository is dead.

look https://github.com/Yelp/elastalert/issues/3178

ktpktr0 commented 2 years ago

Through research, I have solved the problem of using SSL to connect the ES cluster with elasalert. The following is the method to generate the certificate:

Use the digital certificate tool elasticsearch certutil provided by elasticsearch to create the required certificate:

Create a self signed CA certificate, set the access password for the certificate, enter the elasticsearch installation directory / bin, create an SSL folder to store verification related files, and the default output file name is elastic-stack-ca.p12:

/usr/share/elasticsearch/bin/elasticsearch-certutil ca --out /etc/elasticsearch/ssl/elastic-stack-ca.p12 -password pass:""

Export a CA public key file according to the certificate file for use when referencing the CA public key in subsequent configuration files. Enter the newly created SSL folder and execute:

openssl pkcs12 -clcerts -nokeys -in /etc/elasticsearch/ssl/elastic-stack-ca.p12 -out ca.pem

Use a self signed CA to sign and generate a digital certificate used by logstash, with the name es01 (customized. The host is the ES host to which elasalert is connected. Multiple masters only need to connect one node):

echo "" | /Usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca /etc/elasticsearch/SSL/elasticstack-ca.p12 -- name es01 --dns es01 --ip "IP address of es01" --pem -- out /tmp/1.zip
realwhs commented 2 years ago

unsubscribe

At 2021-12-01 11:42:46, "Naoyuki Sano" @.***> wrote:

Please do not write an issue as this repository is dead.

look

3178

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe. Triage notifications on the go with GitHub Mobile for iOS or Android.