Closed alexanderfichel closed 8 years ago
Hmm.. you do have aws_region set, which means it should be signing the requests using the instance role. I'm not entirely sure why that's not working. I think adding --es_debug_trace file
will let you see if it's actually signing the requests or not.
You could try using a boto profile instead. This will make it look for credentials in ~/.aws/credentials. See http://elastalert.readthedocs.io/en/latest/recipes/signing_requests.html?highlight=aws.
Unrelated, but you probably don't need the es_url_prefix with amazon's ES.
It is like it is not picking the aws_region: us-west-2. If I starting to put in mistakes in the key name or value name, nothing changes, as if it is being ignored. Tried with boto profile too. When I try to run the second command from first install docs ():
$ python setup.py install (runs okay)
$ pip install -r requirements.txt
Second command gives error:
x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-prototypes -fPIC -DBLIST_FLOAT_RADIX_SORT=1 -I/usr/include/python2.7 -c blist/_blist.c -o build/temp.linux-x86_64-2.7/blist/_blist.o
blist/_blist.c:38:20: fatal error: Python.h: No such file or directory
#include <Python.h>
^
compilation terminated.
error: command 'x86_64-linux-gnu-gcc' failed with exit status 1
----------------------------------------
Rolling back uninstall of blist
Command "/usr/bin/python -u -c "import setuptools, tokenize;__file__='/tmp/pip-build-cPRJIB/blist/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-BGxTKy-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-cPRJIB/blist/
/usr/local/lib/python2.7/dist-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
InsecurePlatformWarning
You are using pip version 8.1.0, however version 8.1.2 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
Oh, just realized that you need to put aws_region and boto_profile in the RULE yaml and not config.yaml.
Also, I think you need to run apt-get install python-devel
to fix the Python.h missing error. But, if setup.py install works fine, you should have all the necessary libraries.
I tried putting aws_region in the rule, and still no luck. --es_debug_trace file create empty file even with --debug and --verbose command parameters
You could put put a print statement here, https://github.com/Yelp/elastalert/blob/master/elastalert/auth.py#L42, to see if the credentials are even getting fetched properly. Like print aws_access_key_id, aws_token
Beyond trying boto_profile
, I'm not sure what else to do.
I printed out the aws parameters in the auth file
print '---------------------------------------------------' print aws_access_key_id print aws_secret_access_key print aws_token print host print aws_region print '---------------------------------------------------'
but I still get error:
Something about "AttributeError: 'AWSRequestsAuth' object has no attribute 'split'"
---------------------------------------------------
[ACCESS_KEY]
[SECRET_KEY]
[TOKEN_HIDDEN]
search-itmcc-elasticsearch-cluster-47ux565rtlkza7gewdodwdh7b4.us-west-2.es.amazonaws.com
us-west-2
---------------------------------------------------
ERROR:root:Traceback (most recent call last):
File "elastalert/elastalert.py", line 753, in run_all_rules
num_matches = self.run_rule(rule, endtime, self.starttime)
File "elastalert/elastalert.py", line 516, in run_rule
self.current_es = self.new_elasticsearch(rule_es_conn_config)
File "elastalert/elastalert.py", line 143, in new_elasticsearch
send_get_body_as=es_conn_conf['send_get_body_as'])
File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/__init__.py", line 150, in __init__
self.transport = transport_class(_normalize_hosts(hosts), **kwargs)
File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 113, in __init__
self.set_connections(hosts)
File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 166, in set_connections
connections = map(_create_connection, hosts)
File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 165, in _create_connection
return self.connection_class(**kwargs)
File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_requests.py", line 35, in __init__
http_auth = http_auth.split(':', 1)
AttributeError: 'AWSRequestsAuth' object has no attribute 'split'
ERROR:root:Uncaught exception running rule Example rule: 'AWSRequestsAuth' object has no attribute 'split'
WARNING:elasticsearch:POST http://search-itmcc-elasticsearch-cluster-47ux565rtlkza7gewdodwdh7b4.us-west-2.es.amazonaws.com:80/elastalert_status/elastalert_error?op_type=create [status:403 request:0.007s]
ERROR:root:Error writing alert info to elasticsearch: TransportError(403, u'{"Message":"User: anonymous is not authorized to perform: es:ESHttpPost on resource: itmcc-elasticsearch-cluster"}')
Traceback (most recent call last):
File "elastalert/elastalert.py", line 1022, in writeback
doc_type=doc_type, body=body)
File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 68, in _wrapped
return func(*args, params=params, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/__init__.py", line 227, in create
return self.index(index, doc_type, body, id=id, params=params, op_type='create')
File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/utils.py", line 68, in _wrapped
return func(*args, params=params, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/elasticsearch/client/__init__.py", line 257, in index
_make_path(index, doc_type, id), params=params, body=body)
File "/usr/local/lib/python2.7/dist-packages/elasticsearch/transport.py", line 301, in perform_request
status, headers, data = connection.perform_request(method, url, params, body, ignore=ignore, timeout=timeout)
File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/http_requests.py", line 72, in perform_request
self._raise_error(response.status_code, raw_data)
File "/usr/local/lib/python2.7/dist-packages/elasticsearch/connection/base.py", line 102, in _raise_error
raise HTTP_EXCEPTIONS.get(status_code, TransportError)(status_code, error_message, additional_info)
AuthorizationException: TransportError(403, u'{"Message":"User: anonymous is not authorized to perform: es:ESHttpPost on resource: itmcc-elasticsearch-cluster"}')
https://github.com/DavidMuller/aws-requests-auth/issues/15#issuecomment-199323512
Try upgrading the elasticsearch library to 1.7?
My bad if the library versions are incompatible, I've never tested this feature myself.
No luck with that either. I decided to start from scratch and change the package to 1.7 in requirement.txt, but I run into this error when i run python setup.py install:
Installed /tmp/easy_install-MCuRSg/mock-2.0.0/.eggs/pbr-1.10.0-py2.7.egg
Marker evaluation failed, see the following error. For more information see: http://docs.openstack.org/developer/pbr/compatibility.html#evaluate-marker
ERROR:root:Error parsing
Traceback (most recent call last):
File "/tmp/easy_install-MCuRSg/mock-2.0.0/.eggs/pbr-1.10.0-py2.7.egg/pbr/core.py", line 111, in pbr
attrs = util.cfg_to_args(path, dist.script_args)
File "/tmp/easy_install-MCuRSg/mock-2.0.0/.eggs/pbr-1.10.0-py2.7.egg/pbr/util.py", line 248, in cfg_to_args
kwargs = setup_cfg_to_setup_kwargs(config, script_args)
File "/tmp/easy_install-MCuRSg/mock-2.0.0/.eggs/pbr-1.10.0-py2.7.egg/pbr/util.py", line 431, in setup_cfg_to_setup_kwargs
if pkg_resources.evaluate_marker('(%s)' % env_marker):
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 1483, in evaluate_marker
return cls.interpret(parser.expr(text).totuple(1)[1])
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 1517, in interpret
return op(nodelist)
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 1431, in atom
return cls.interpret(nodelist[2])
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 1517, in interpret
return op(nodelist)
File "/usr/lib/python2.7/dist-packages/pkg_resources/__init__.py", line 1452, in comparison
raise SyntaxError(msg)
SyntaxError: '<' operator not allowed in environment markers
error: Setup script exited with error in setup command: Error parsing /tmp/easy_install-MCuRSg/mock-2.0.0/setup.cfg: SyntaxError: '<' operator not allowed in environment markers
Would love to gt this working, what libraries do you currently use in the requirements txt as well as OS, are you using any instance in AWS? Is it ubuntu/rhel/amazon linux etc?
Someone else had this problem, https://github.com/marcan/letsencrypt-external/issues/1#issuecomment-212412568
Maybe upgrading setuptools will fix this last error. You'll need all the libraries otherwise there will be import errors. The versions are not required to all be exact though.
We are using this on Ubuntu.
You could also try using Docker.
https://github.com/krizsan/elastalert-docker or https://github.com/fiunchinho/docker-elastalert or https://www.ivankrizsan.se/2015/10/19/creating-an-elastalert-docker-image-on-docker-hub/
Or if not, definitely use a virtualenv.
http://docs.python-guide.org/en/latest/dev/virtualenvs/
and try installing with pip install -r requirements.txt
rather than setup.py install.
Finally got it working, thanks a lot Qmando! I haven't used the docker, but had to update some libraries when I built it on the amazon linux instace:
pip install -U setuptools
pip install -U mock
pip install -U pbr
pip install -U requests-oauthlib
As well as update in requirements.txt
configparser==3.5.0
elasticsearch==1.7.0
I ran into this problem when attempting to run a bucketing search in es (also despite having the "es:*" action on my es domain resource). I was able to resolve it by adding the following to my lambda role. Hope it gives you some ideas...
Effect: Allow Action:
Here is my config.yaml
And the error that I get:
My IAM role attached to instance with elastalert gives full access to es (elasticsearch):
I confirmed with IAM policy simulator as well as other cloudformation instances that use other apps to access elasticsearch in AWS: