Rule is working but doesn't pass validation with Kibana "test" or Python "test" functions

Open SysEngDan opened this issue 6 years ago • 0 comments

Here is my config from docker-compose.yml

elastalert: image: bitsensor/elastalert:3.0.0-beta.1 volumes: - ./elastalert/config/elastalert.yaml:/opt/elastalert/config.yaml - ./elastalert/config/config.json:/opt/elastalert-server/config/config.json - ./elastalert/rules:/opt/elastalert/rules - ./elastalert/rule_templates:/opt/elastalert/rule_templates - /etc/localtime:/etc/localtime:ro ports: - "3030:3030" - "3333:3333" environment: TZ: "America/New_York" networks: - elk depends_on: - elasticsearch

Here is my one rule placed in /opt/elastalert/rules/SearchStringForError.yml (within the container). Simply creating this file causes the rule to run because I successfully get emails when an "error" string is detected.

` es_host: elasticsearch es_port: 9200 name: Search for string error type: frequency index: "*" num_events: 1 timeframe: minutes: 5 filter:

term: message: "error" alert:
"email" email:
"[email protected]" smtp_host: "mailrelay.example.com" smtp_port: 26 from_addr: "[email protected]" `

When I try to create this in kibana and click "test" the following error is logged in the container logs:

` 12:31:41.293Z ERROR elastalert-server: TestController: Failed to test rule with error: WARNING:elasticsearch:GET http://elasticsearch:9200/ [status:401 request:0.009s] Error connecting to ElasticSearch: AuthenticationException(401, u'security_exception', {u'status': 401, u'error': {u'header': {u'WWW-Authenticate': u'Basic realm="security" charset="UTF-8"'}, u'root_cause': [{u'header': {u'WWW-Authenticate': u'Basic realm="security" charset="UTF-8"'}, u'reason': u'missing authentication credentials for REST request [/]', u'type': u'security_exception'}], u'type': u'security_exception', u'reason': u'missing authentication credentials for REST request [/]'}})

WARNING:elasticsearch:GET http://elasticsearch:9200/ [status:401 request:0.006s]

WARNING:elastalert:Error connecting to Elasticsearch for rule /opt/elastalert/server_data/tests/~R2evwyovJHKRpIBlmzvFBc4X0Tc7VpKZ. The rule has been disabled.    
ERROR:root:Error connecting to SMTP host: [Errno 101] Network unreachable

INFO:elastalert:Skipping writing to ES: {'message': 'Error connecting to SMTP host: [Errno 101] Network unreachable', 'traceback': ['Traceback (most recent call last):', '  File "elastalert/elastalert.py", line 1866, in send_notification_email', '    smtp = SMTP(self.smtp_host)', '  File "/usr/lib/python2.7/smtplib.py", line 256, in __init__', '    (code, msg) = self.connect(host, port)', '  File "/usr/lib/python2.7/smtplib.py", line 317, in connect', '    self.sock = self._get_socket(host, port, self.timeout)', '  File "/usr/lib/python2.7/smtplib.py", line 292, in _get_socket', '    return socket.create_connection((host, port), timeout)', '  File "/usr/lib/python2.7/socket.py", line 575, in create_connection', '    raise err', 'error: [Errno 101] Network unreachable'], 'data': {'email_body': '\n\nThe rule /opt/elastalert/server_data/tests/~R2evwyovJHKRpIBlmzvFBc4X0Tc7VpKZ has raised an uncaught exception.\n\nTraceback (most recent call last):\n  File "elastalert/elastalert.py", line 935, in init_rule\n    self.modify_rule_for_ES5(new_rule)\n  File "elastalert/elastalert.py", line 996, in modify_rule_for_ES5\n    if rule_es.is_atleastfive():\n  File "elastalert/__init__.py", line 50, in is_atleastfive\n    return int(self.es_version.split(".")[0]) >= 5\n  File "elastalert/__init__.py", line 43, in es_version\n    self._es_version = self.info()[\'version\'][\'number\']\n  File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.2-py2.7.egg/elasticsearch/client/utils.py", line 84, in _wrapped\n    return func(*args, params=params, **kwargs)\n  File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.2-py2.7.egg/elasticsearch/client/__init__.py", line 259, in info\n    return self.transport.perform_request("GET", "/", params=params)\n  File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.2-py2.7.egg/elasticsearch/transport.py", line 353, in perform_request\n    timeout=timeout,\n  File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.2-py2.7.egg/elasticsearch/connection/http_requests.py", line 155, in perform_request\n    self._raise_error(response.status_code, raw_data)\n  File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.2-py2.7.egg/elasticsearch/connection/base.py", line 178, in _raise_error\n    status_code, error_message, additional_info\nAuthenticationException: AuthenticationException(401, u\'security_exception\', u\'missing authentication credentials for REST request [/]\')\n'}}

Traceback (most recent call last):
  File "/usr/lib/python2.7/runpy.py", line 174, in _run_module_as_main

    "__main__", fname, loader, pkg_name)

  File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
    exec code in run_globals
  File "/opt/elastalert/elastalert/test_rule.py", line 467, in <module>

    main()
  File "/opt/elastalert/elastalert/test_rule.py", line 463, in main

    test_instance.run_rule_test()
  File "/opt/elastalert/elastalert/test_rule.py", line 455, in run_rule_test

    self.run_elastalert(rule_yaml, conf, args)
  File "/opt/elastalert/elastalert/test_rule.py", line 311, in run_elastalert

    client.run_rule(rule, endtime, starttime)
  File "elastalert/elastalert.py", line 825, in run_rule

    for x in range(len(rule['agg_matches'])):

KeyError: 'agg_matches'

Oct 22 '19 12:10 SysEngDan