Elastalert: Logging to the file

Created on 26 Aug 2020 · 14Comments · Source: Yelp/elastalert

Hello,
can anyone help me with setting logging to file /var/log/elastalert/elastalert.log?

I have this configuration but it doesn't work:

/opt/elastalert/config.yaml

run_every:
seconds: 30
buffer_time:
minutes: 5
rules_folder: rules
use_ssl: true
es_host: *
es_port: 9200
es_username: elastalert
es_password: ***
es_send_get_body_as: GET
writeback_index: elastalert_audit

logging:
  version: 1
  incremental: false
  disable_existing_loggers: false
  formatters:
    logline:
      format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s'

    handlers:
      console:
        class: logging.StreamHandler
        formatter: logline
        level: DEBUG
        stream: ext://sys.stderr

      file:
        class : logging.FileHandler
        formatter: logline
        level: DEBUG
        filename: /var/log/elastalert/elastalert.log

    loggers:
      elastalert:
        level: DEBUG
        handlers: []
        propagate: true

      elasticsearch:
        level: DEBUG
        handlers: []
        propagate: true

      elasticsearch.trace:
        level: DEBUG
        handlers: []
        propagate: true

      '':  # root logger
        level: DEBUG
        handlers:
          - console
          - file
        propagate: false

[root@alerter-as1 elastalert]# systemctl status elastalert
● elastalert.service - Elastalert
   Loaded: loaded (/etc/systemd/system/elastalert.service; enabled; vendor preset: disabled)
   Active: active (running) since St 2020-08-26 09:39:47 CEST; 13min ago
 Main PID: 26064 (python3.6)
   CGroup: /system.slice/elastalert.service
           └─26064 /usr/bin/python3.6 -m elastalert.elastalert --config /opt/elastalert/config.yaml

Source

vennca

Most helpful comment

@vennca

I was able to output the file.

# This is the folder that contains the rule yaml files
# Any .yaml file will be loaded as a rule
rules_folder: rules

# How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds
run_every:
  minutes: 1

# ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time
buffer_time:
  minutes: 15

# The Elasticsearch hostname for metadata writeback
# Note that every rule can have its own Elasticsearch host
es_host: localhost

# The Elasticsearch port
es_port: 9200

# The AWS region to use. Set this when using AWS-managed elasticsearch
#aws_region: us-east-1

# The AWS profile to use. Use this if you are using an aws-cli profile.
# See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
# for details
#profile: test
profile: default

# Optional URL prefix for Elasticsearch
#es_url_prefix: elasticsearch

# Connect with TLS to Elasticsearch
#use_ssl: True

# Verify TLS certificates
#verify_certs: True

# GET request with body is the default option for Elasticsearch.
# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
# for details
#es_send_get_body_as: GET

# Option basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword

# Use SSL authentication with client certificates client_cert must be
# a pem file containing both cert and key for client
#verify_certs: True
#ca_certs: /path/to/cacert.pem
#client_cert: /path/to/client_cert.pem
#client_key: /path/to/client_key.key

# The index on es_host which is used for metadata storage
# This can be a unmapped index, but it is recommended that you run
# elastalert-create-index to set a mapping
writeback_index: elastalert_status
writeback_alias: elastalert_alerts

# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
  days: 2

# Custom logging configuration
# If you want to setup your own logging configuration to log into
# files as well or to Logstash and/or modify log levels, use
# the configuration below and adjust to your needs.
# Note: if you run ElastAlert with --verbose/--debug, the log level of
# the "elastalert" logger is changed to INFO, if not already INFO/DEBUG.
logging:
  version: 1
  incremental: false
  disable_existing_loggers: false
  formatters:
    logline:
      format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s'

  handlers:
    console:
      class: logging.StreamHandler
      formatter: logline
      level: INFO
      stream: ext://sys.stderr

    file:
      class : logging.FileHandler
      formatter: logline
      level: INFO
      filename: elastalert.log

  loggers:
    elastalert:
      level: INFO
      handlers: []
      propagate: true

    elasticsearch:
      level: INFO
      handlers: []
      propagate: true

    elasticsearch.trace:
      level: INFO
      handlers: []
      propagate: true

    '':  # root logger
      level: INFO
      handlers:
        - console
        - file
      propagate: false

nsano-rururu on 21 Dec 2020

👍2

All 14 comments

It's a setting I've never seen, but is it the setting written in the document?

nsano-rururu on 28 Aug 2020

I found out configuration in the file config.yaml.example:
https://github.com/Yelp/elastalert/blob/master/config.yaml.example

vennca on 28 Aug 2020

Is this helpful?
Unable to output elastalert.log #2510

nsano-rururu on 28 Aug 2020

Unfortunately no, because indentation is correct.

vennca on 28 Aug 2020

Does anyone have a working solution for putting logging into operation?

vennca on 14 Sep 2020

All I need was how to run the logging for elastalert but thank you @nsano-rururu for detailed tutorial how to set praeco.

vennca on 15 Sep 2020

We also recommend asking questions on the Gitter channel
https://gitter.im/Yelp/elastalert

nsano-rururu on 27 Oct 2020

Simple setup your elastalert with supervisor and mention these settings there to log.
Logging is part of deamon process not elastalert it self.

rehannali on 29 Oct 2020

I have the same problem. Why is the logging configuration set but no logging is generated.

wajika on 19 Dec 2020

@vennca

I was able to output the file.

# This is the folder that contains the rule yaml files
# Any .yaml file will be loaded as a rule
rules_folder: rules

# How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds
run_every:
  minutes: 1

# ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time
buffer_time:
  minutes: 15

# The Elasticsearch hostname for metadata writeback
# Note that every rule can have its own Elasticsearch host
es_host: localhost

# The Elasticsearch port
es_port: 9200

# The AWS region to use. Set this when using AWS-managed elasticsearch
#aws_region: us-east-1

# The AWS profile to use. Use this if you are using an aws-cli profile.
# See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
# for details
#profile: test
profile: default

# Optional URL prefix for Elasticsearch
#es_url_prefix: elasticsearch

# Connect with TLS to Elasticsearch
#use_ssl: True

# Verify TLS certificates
#verify_certs: True

# GET request with body is the default option for Elasticsearch.
# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
# for details
#es_send_get_body_as: GET

# Option basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword

# Use SSL authentication with client certificates client_cert must be
# a pem file containing both cert and key for client
#verify_certs: True
#ca_certs: /path/to/cacert.pem
#client_cert: /path/to/client_cert.pem
#client_key: /path/to/client_key.key

# The index on es_host which is used for metadata storage
# This can be a unmapped index, but it is recommended that you run
# elastalert-create-index to set a mapping
writeback_index: elastalert_status
writeback_alias: elastalert_alerts

# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
  days: 2

# Custom logging configuration
# If you want to setup your own logging configuration to log into
# files as well or to Logstash and/or modify log levels, use
# the configuration below and adjust to your needs.
# Note: if you run ElastAlert with --verbose/--debug, the log level of
# the "elastalert" logger is changed to INFO, if not already INFO/DEBUG.
logging:
  version: 1
  incremental: false
  disable_existing_loggers: false
  formatters:
    logline:
      format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s'

  handlers:
    console:
      class: logging.StreamHandler
      formatter: logline
      level: INFO
      stream: ext://sys.stderr

    file:
      class : logging.FileHandler
      formatter: logline
      level: INFO
      filename: elastalert.log

  loggers:
    elastalert:
      level: INFO
      handlers: []
      propagate: true

    elasticsearch:
      level: INFO
      handlers: []
      propagate: true

    elasticsearch.trace:
      level: INFO
      handlers: []
      propagate: true

    '':  # root logger
      level: INFO
      handlers:
        - console
        - file
      propagate: false

nsano-rururu on 21 Dec 2020

👍2

It worked when I put handlers and loggers in the same position as formatters.

Reference URL
https://gist.github.com/eht16/b2183e1ce8373b8916b72dfa985a20c6
https://qiita.com/SatoshiTerasaki/items/42c80dd9a7da0e8155bd
https://qiita.com/petitviolet/items/86a3cc74d35fd9f6c96c

nsano-rururu on 21 Dec 2020

I confirmed that a pull request has been issued
https://github.com/Yelp/elastalert/pull/2231

nsano-rururu on 22 Dec 2020

@nsano-rururu Thank you. It worked

wajika on 22 Dec 2020

👍1

Thank you. It works!

vennca on 4 Jan 2021