Elastalert: new_style_string_format not working anymore

Created on 17 May 2018  路  18Comments  路  Source: Yelp/elastalert

Hello,

Sorry if I don't respect standards for issues reporting, first one here.

Since 4e8271d9215b9db5cb49e4182985392a099ea7ba (commit which was working), the "new_style_string_format" is not working.

My alert command is the following. It sends messages from auditbeat logs. It was working well before, it is not working anymore.
I came back to this commit (4e8271d9215b9db5cb49e4182985392a099ea7ba) and it's working again.

alert:
- "command"
command: ["/var/lib/elastalert/commands/send_message.sh", "A sudo was executed on {match[beat][name]} : {match[auditd][data][cmd]}"]
new_style_string_format: true

Not working : A sudo was executed on {match[beat][name]} : {match[auditd][data][cmd]}
Working : A sudo was executed on vm-log-es01 : /usr/bin/python -m elastalert.elastalert --verbose --config /var/lib/elastalert/config.yaml --rule /var/lib/elastalert/custom-rules/audit-sudo.yaml

picture hirso

Most helpful comment

Unfortunately the alert text can't be formatted directly into the command. You have to do a slight workaround using some scripting to convert the stdin to a command line arg.

In alert.sh, add

#!/bin/bash
alert_text=`cat`
some_command "$alert_text"

Then have the command just run alert.sh with pipe_alert_text: true

picture Qmando on 11 Sep 2018
👍2

All 18 comments

The format changed slightly. You need to remove match from the string formatters. Now you can just use {beat[name]} and {auditd[data][cmd]}

I'll add backwards compatibility since I shouldn't be making breaking changes in a minor upgrade, my mistake. Sorry about that.

Qmando picture Qmando on 18 May 2018

Hello,
Thank you for your fast answer, it's working perfectly.

hirso picture hirso on 22 May 2018

Hello

I'm using version version 0.1.32 and even using the new format you answered in this issue, it doesn't work for me. Here is my example:

new_style_string_format: true       
command: ["send_message.sh", "send_msg", "Server {beat[name]} has high RAM utilization: {beat[system][memory][actual][used][pct]}"]

It does not translate to the actual values.

jesferman picture jesferman on 28 Jun 2018

Try using {beat.name} and beat.system.memory.actual.used.pct

Qmando picture Qmando on 28 Jun 2018

Does not work either

jesferman picture jesferman on 2 Jul 2018

Are those fields even available in your match? If you use the debug alerter, with no custom alert text settings, it will show you all the fields available. You haven't posted the rest of your rule so I have no idea if the issue is related to the string formatter or not.

Qmando picture Qmando on 3 Jul 2018

Here is the complete rule:

name: "RAM utilization"
index: metricbeat-*
type: frequency
query_key: beat.name
num_events: 1
timeframe:
  minutes: 1
filter:
 - range:
     system.memory.actual.used.pct:
       from: 0.9
       to: 1.1
alert:
  - command
realert:
  minutes: 1
new_style_string_format: true       
command: ["send_message.sh", "send_msg", "Server {beat[name]} has high RAM utilization: {beat[system][memory][actual][used][pct]}"]
pipe_match_json: true

And these are the available fields:

Available terms in first hit:
    beat.version
    beat.name
    beat.hostname
    @timestamp
    metricset.rtt
    metricset.name
    metricset.module
    system.memory.total
    system.memory.used.bytes
    system.memory.used.pct
    system.memory.actual.used.bytes
    system.memory.actual.used.pct
    system.memory.actual.free
    system.memory.swap.total
    system.memory.swap.used.bytes
    system.memory.swap.used.pct
    system.memory.swap.free
    system.memory.free

The same rule was working (with the previous syntax of {match[beat][name]}) before updating to latest version of elastalert.

Thanks for your support.

jesferman picture jesferman on 3 Jul 2018

This is indeed a bug. I'll fix asap.

In the mean time, using %(beat.name)s should work

Qmando picture Qmando on 3 Jul 2018

1776 will fix this

Qmando picture Qmando on 3 Jul 2018
🎉1

Nice, thank you! 馃槃

jesferman picture jesferman on 4 Jul 2018

Hi,

I just updated to version 0.1.33 but it is not working yet. I am using the same example posted above and tried both {match[beat][name]} and {beat[name]} but it doesn't expand to the actual values. Am I missing something?

Thanks.

jesferman picture jesferman on 8 Aug 2018

Did you try {beat.name}?

Qmando picture Qmando on 8 Aug 2018

Yes, I also tried it

jesferman picture jesferman on 9 Aug 2018

Ok. You'll have to just keep using %(beat.name)s.

If the data were 

{ "beat": { "name": "something"} }

Then you could use {beat[name]}

However, it seems to be 

{ "beat.name": "something" }

For which, you need to use the % version.

My apologies for not realizing this earlier. I've got some ideas to make this more foolproof in the future.

Qmando picture Qmando on 9 Aug 2018

Ok, I will use the % version.

Thanks for your support.

jesferman picture jesferman on 10 Aug 2018

How about pipe_alert_text? How can I use it it command?
"{[alert_text]}"
"{match[alert_text]}"
"{alert_text}"
does not work.

Poodrdt picture Poodrdt on 11 Sep 2018

Unfortunately the alert text can't be formatted directly into the command. You have to do a slight workaround using some scripting to convert the stdin to a command line arg.

In alert.sh, add

#!/bin/bash
alert_text=`cat`
some_command "$alert_text"

Then have the command just run alert.sh with pipe_alert_text: true

Qmando picture Qmando on 11 Sep 2018
👍2

Thx man. I wish this was in the docs 馃憤

Poodrdt picture Poodrdt on 11 Sep 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

tkumark picture tkumark  路  3Comments
JeffAshton picture JeffAshton  路  3Comments
Shashankft9 picture Shashankft9  路  3Comments
AweiWoo picture AweiWoo  路  3Comments
abhishekjiitr picture abhishekjiitr  路  3Comments