These are chat archives for Yelp/elastalert

Oct 2017
Oct 18 2017 14:52
I'm just a noob trying elastalert so bear with me
I'm trying to generate an alert based on on auth.log data using filebeat default system module

Alert when the rate of events exceeds a threshold


Elasticsearch host



Elasticsearch port

es_port: 14900

(OptionaL) Connect with SSL to Elasticsearch

use_ssl: True

(Optional) basic-auth username and password for Elasticsearch

es_username: someusername

es_password: somepassword


Rule name, must be unique

name: Filebeat, ssh fail event frequency rule


Type of alert.

the frequency rule type alerts when num_events events occur with timeframe time

type: frequency


Index to search, wildcard supported

index: Filebeat-*

(Required, frequency specific)

Alert when this many documents matching the query occur within a timeframe

num_events: 5

(Required, frequency specific)

num_events must occur within this amount of time to trigger an alert

hours: 1

use_terms_query: true
doc_type: doc


A list of Elasticsearch filters used for find events

These filters are joined with AND and nested in a filtered query

For more info:


  • terms:
    system.auth.ssh.event: [ "Failed", "Invalid" ]
    query_key: system.auth.hostname


The alert is use when a match is found


  • "debug"
I want to generate an alert when there are more then 5 ssh failure on a single hostname during the last hour
this rule does not trigger for me for some reason
can someone help?