How to see if the alerts are really working?

[Amarquier]

Hello,

I am trying to make this plugin working. I wrote a very simple frequency rule and I am trying the sample cpu spike rule too.

When I test the cpu spike rule, it writes "Got 8542 hits from the last 1 day" but in the end I have

elastalert_status - {'hits': 0, 'matches': 0, '

Maybe it's not written correctly, so I skipped it.

When I test the frequency rule, I do have 958 hits and 90 matches. If I'm not wrong I'm supposed to receive at least 1 alert but I never did.

I tried 3 different alert types.

1) The debug, but I'm not really sure where is the console where it's supposed to write but I assume it's the docker where it also writes things like "08:20:03.620Z INFO elastalert-server: Routes: Successfully handled GET request for '/rules/:id'." but there is nothing.

2) The email. I have set it up like this :

- "email"

email:

- "test@gmail.com"

smtp_host: "smtp.gmail.com”

smtp_port: 465

smtp_ssl: true

from_addr: "test@gmail.com"

smtp_auth_file: "/etc/elasticsearch/smtp_auth.yaml"

Inside the smtp_auth.yaml :

user: "test@gmail.com"

password: "mypassword"

But I never received a mail. I'm behind a proxy and I think never configured elastalert for it so maybe that's the reason, but I never saw an error in the console either.

3) I tried to write the alert into a text file like this :

- "command"

command: ["tee", "-a", "/opt/elastalert/alert.txt"]

pipe_match_json: true

But the file is still empty.

I'm probably doing something wrong and I need your help. If you need more info feel free to ask.

Thanks.

[mancharagopan]

what is your conditions looks like?

[Amarquier]

Here is the beginning of my rule.

type: frequency

# (Required)
# Index to search, wildcard supported

index: logstash*

# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe

num_events: 10

# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert

timeframe:
  minutes: 2

  # (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html

filter: []

[mancharagopan]

This is my sample CPU Spike rule to send an email alert if cpu usage hit more than 30% for 1 minute.

name: Metricbeat CPU Spike Rule
type: metric_aggregation

index: metricbeat-*

buffer_time:
  minutes: 1

metric_agg_key: system.cpu.total.pct
metric_agg_type: max
query_key: beat.hostname
doc_type:  doc

bucket_interval:
 minutes: 1

sync_bucket_interval: true
#allow_buffer_time_overlap: true
#use_run_every_query_size: true

min_threshold: 0.0
max_threshold: 0.3

filter:
- term:
    metricset.name: cpu

alert:
- "email"
email:
 - "email@example.com"
smtp_host: "smtp.example.com"
smtp_port: "465"
smtp_ssl : "true"
from_addr: "email@example.com"
smtp_auth_file: "/tmp/elastalert/smtp_auth.yaml"

[mancharagopan]

How you are testing your rules?

[Amarquier]

Hi and sorry for the late answer.

To test rules, first I check is the rule has hits and matches. Then I recreate the conditions to get hits and matches and wait to receive an email or something but nothing.

I found that when I start the docker I have this message : "ProcessController: IOError: [Errno 2] No such file or directory: '/tmp/elastalert/smtp_auth.yaml'", do you know how to fix it ? I don't know where the debug alerter's messages are supposed to be written too.