elastalert - email-notifications - debugging?

[ejgh-oe]

Hi,
Running 2.4.140 in a distributed environment - no Pro license - I'm trying to get elastalert to send out emails in case a high severity suricata alert or IDH alert fires off.

Here's what I did: Following the advice/receipe given under #14181 I set up my own custom .yaml-File that I put in /opt/so/conf/elastalert/custom like so:

es_host: my-manager-node
es_port: 9200

name: "First Test"

index: "logs-suricata.alerts-so*"

type: frequency
num_events: 1
timeframe:
    minutes: 3
buffer_time:
    minutes: 5
allow_buffer_time_overlap: true
filter:
    - query:
       query_string:
         query: "event.severity:3 AND event.acknowledged is null"


alert_text_type: alert_text_only

alert_text: "
*Number of hits*:       {11}\n
\n
*RULE*:\n
*Category*:     {5}\n
*Rulename*:     {6}\n
*Reference*:    {7}\n
\n
*SOURCE - DESTINATION*:\n
*Source*:       {0}:{1}\n
*Destination*:  {2}:{3}\n
*Timestamp*:    {4}\n
\n
*EVENT*\n
*Category*:     {8}\n
*Severity*:     {9}\n
*Sensor*:       {10}\n"

alert_text_args: ["source.ip", "source.port", "destination.ip", "destination.port", "event.ingested", "rule.category", "rule.name", "rule.reference", "event.category", "event.severity_label", "host.name", num_hits]
alert:
- email

email:
- "[email protected]"
smtp_host: "mailgateway.somewhere.org"
smtp_port: 25
from_addr: "[email protected]"

However - nothing happens: Even though I get alerts in the dashboards, including high alerts, no email alerts are being sent.

So my questions:

• How can I check whether my custom rule is being picked up by elastalert2 at all? (/opt/so/log/elastalert/elastalert.log doesn't contain any information about my custom rules being read)
• Is logs-suricata.alerts-so* the correct index for elastalert to look into?
• any way to check my custom rule for syntax errors? (tried so-elastalert-test -r custom/my-elastalert-rules.yaml as well as `so-elastalert-test -r /opt/so/conf/elastalert/custom/my-elastalert-rules.yaml' but that only ended up with python errors

Thanks much in advance for any clue...

[reyesj2]

Try placing your rule in /opt/so/rules/elastalert/rules/custom/

Then to manually run it with so-elastalert-test use

so-elastalert-test -r rules/custom/test.yml

Yes, logs-suricata.alerts-so is the correct index for looking at suricata alerts

[reyesj2]

I ran the rule provided as described above

silence - {'exponent': 0, 'rule_name': 'First Test', '@timestamp': datetime.datetime(2025, 3, 28, 3, 34, 31, 410172, tzinfo=tzutc()), 'until': datetime.datetime(2025, 3, 28, 3, 35, 31, 410150, tzinfo=tzutc())}

elastalert_status - {'rule_name': 'First Test', 'endtime': datetime.datetime(2025, 3, 28, 3, 34, 31, 163258, tzinfo=tzutc()), 'starttime': datetime.datetime(2025, 3, 28, 3, 31, 29, 363258, tzinfo=tzutc()), 'matches': 4, 'hits': 4, '@timestamp': datetime.datetime(2025, 3, 28, 3, 34, 31, 410985, tzinfo=tzutc()), 'time_taken': 0.055094242095947266}


Test completed successfully!

[ejgh-oe]

Try placing your rule in /opt/so/rules/elastalert/rules/custom/

Then to manually run it with so-elastalert-test use

so-elastalert-test -r rules/custom/test.yml

Yes, logs-suricata.alerts-so is the correct index for looking at suricata alerts

Awesome - your tips solved all of the problems I ran into: Moving my rules to /opt/so/rules/elastalert/rules/custom/ made elasticsearch pick them up automatically and now the so-elastalert-test also works given the different specification of the pathname to the rule. And best of all rules now fire so I get notifications via email to my inbox as intended.

Thanks alot for your help :-)