These are chat archives for Yelp/elastalert

18th
Oct 2017
fasher
@fasher
Oct 18 2017 14:52
Hi,
I'm just a noob trying elastalert so bear with me
I'm trying to generate an alert based on on auth.log data using filebeat default system module

Alert when the rate of events exceeds a threshold

(Optional)

Elasticsearch host

es_host: elasticsearch.example.com

(Optional)

Elasticsearch port

es_port: 14900

(OptionaL) Connect with SSL to Elasticsearch

use_ssl: True

(Optional) basic-auth username and password for Elasticsearch

es_username: someusername

es_password: somepassword

(Required)

Rule name, must be unique

name: Filebeat, ssh fail event frequency rule

(Required)

Type of alert.

the frequency rule type alerts when num_events events occur with timeframe time

type: frequency

(Required)

Index to search, wildcard supported

index: Filebeat-*

(Required, frequency specific)

Alert when this many documents matching the query occur within a timeframe

num_events: 5

(Required, frequency specific)

num_events must occur within this amount of time to trigger an alert

timeframe:
hours: 1

use_terms_query: true
doc_type: doc

(Required)

A list of Elasticsearch filters used for find events

These filters are joined with AND and nested in a filtered query

For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html

filter:

  • terms:
    system.auth.ssh.event: [ "Failed", "Invalid" ]
    query_key: system.auth.hostname

(Required)

The alert is use when a match is found

alert:

  • "debug"
I want to generate an alert when there are more then 5 ssh failure on a single hostname during the last hour
this rule does not trigger for me for some reason
can someone help?