Elastalert: Better Email message template

Created on 7 Apr 2017 · 3Comments · Source: Yelp/elastalert

Is there a friendly format for email which is sent when the alert is triggered. How do generally people go about with email alerts. This is what is sent

frequencytest

At least 70 events occurred between 2017-04-06 06:27 UTC and 2017-04-06 06:28 UTC

@timestamp: 2017-04-06T06:28:13.129Z
@version: 1
_id: AVtB8wdiBRyE7g7Hr950
_index: logstash-2017.04.06
_type: log
agent: "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; AppInsights)"
auth: -
beat: {
"hostname": "sod-web-forums",
"name": "sod-web-forums",
"version": "5.3.0"
}
bytes: 10233
clientip: 207.46.14.65
geoip: {
"city_name": "Chicago",
"continent_code": "NA",
"country_code2": "US",
"country_code3": "US",
"country_name": "United States",
"dma_code": 602,
"ip": "207.46.14.65",
"latitude": 41.8483,
"location": [
-87.6517,
41.8483
],
"longitude": -87.6517,
"postal_code": "60602",
"region_code": "IL",
"region_name": "Illinois",
"timezone": "America/Chicago"
}
host: sod-web-forums
httpversion: 1.1
ident: -
input_type: log
message: 207.46.14.65 - - [05/Apr/2017:23:28:11 -0700] "GET / HTTP/1.1" 200 10233 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; AppInsights)" 789132
num_hits: 252
num_matches: 1
offset: 96831545
referrer: "-"
request: /
response: 200
response_time: 789132
source: /var/log/httpd/forum-access_log
tags: [
"beats_input_codec_plain_applied"
]
timestamp: 05/Apr/2017:23:28:11 -0700
type: log
verb: GET
frequencytest

At least 70 events occurred between 2017-04-06 06:27 UTC and 2017-04-06 06:28 UTC

@timestamp: 2017-04-06T06:28:13.129Z
@version: 1
_id: AVtB8wdiBRyE7g7Hr950
_index: logstash-2017.04.06
_type: log
agent: "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; AppInsights)"
auth: -
beat: {
"hostname": "sod-web-forums",
"name": "sod-web-forums",
"version": "5.3.0"
}
bytes: 10233
clientip: 207.46.14.65
geoip: {
"city_name": "Chicago",
"continent_code": "NA",
"country_code2": "US",
"country_code3": "US",
"country_name": "United States",
"dma_code": 602,
"ip": "207.46.14.65",
"latitude": 41.8483,
"location": [
-87.6517,
41.8483
],
"longitude": -87.6517,
"postal_code": "60602",
"region_code": "IL",
"region_name": "Illinois",
"timezone": "America/Chicago"
}
host: sod-web-forums
httpversion: 1.1
ident: -
input_type: log
message: 207.46.14.65 - - [05/Apr/2017:23:28:11 -0700] "GET / HTTP/1.1" 200 10233 "-" "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; AppInsights)" 789132
num_hits: 252
num_matches: 1
offset: 96831545
referrer: "-"
request: /
response: 200
response_time: 789132
source: /var/log/httpd/forum.schoolofdragons.com-access_log
tags: [
"beats_input_codec_plain_applied"
]
timestamp: 05/Apr/2017:23:28:11 -0700
type: log
verb: GET

Source

tkumark

Most helpful comment

You can use a custom string as the alert body.

alert_text: |
    Something happened at {0}.
    response: {1}
    message: {2}
alert_text_args: ["timestamp", "response", "message"]
alert_text_type: alert_text_only

Qmando on 7 Apr 2017

👍16

All 3 comments

You can use a custom string as the alert body.

alert_text: |
    Something happened at {0}.
    response: {1}
    message: {2}
alert_text_args: ["timestamp", "response", "message"]
alert_text_type: alert_text_only

Qmando on 7 Apr 2017

👍16

Thanks this was help full it would be nice to have this example put in the documentation.

tkumark on 28 Apr 2017

👍4

Hi,

I'm trying to configure email template with 3 specific filelds.. @timestamp, hostname and msg.

I tried to use the below format.

type: any

alert_text: "Interface Flapping observed on Arista Switch at {0) on {1} with the status {2}"
alert_text_args: ["@timestamp", "hostname", "msg"]

email output is like..

Interface Flapping observed on Arista Switch at {0) on {1} with the status {2}