Elastalert filter on log levels and send an email

Question

I have some questions in elastalert which are really making me stuck. Your help is really needed as I am in the middle of an issue. My questions are below :

• Is there any way we can filter on the basis of log level or severity?
• Is there any way for each entry in elastic search I should be able to send an email ( as I'll be having a grok filter in logstash to push only error logs).

I have tried by following one by one, but nothing worked.

filter:
- term:
#      essage: "*INFO*"
#      query: "info"
#      host.name: "*IPADDRESS.us-east-2.compute.internal*"

None of the above is working.

Answer 1

Your question is kinda broad, so, I can only give some pointers but you probably want to run something like this:

# From rules/example_frequency.yaml
name: Immediate attention is necessary.
type: frequency
index: logstash-ming-ossec-syslog-new-*
num_events: 1
timeframe:
    minutes: 10

#- query:
#    query_string:
#       query: 'res:failed AND op:login  AND (NOT acct:root) AND (NOT acct:(unknown))'

#filter:
#- query:
#    query_string:
#      query: "system.log.severity: SEVERE

#or whatever makes sense with your data
filter:
- query:
    query_string:
      query: "alarm AND error AND (critical OR severe)"
      default_field: syslog_message


alert:
- "email"

email:
- "[email protected]"
- "[email protected]"
smtp_host: "smtp.mailgun.org"
smtp_port: 25
smtp:ssl: true
from_addr: "[email protected]"
smtp_auth_file: '/opt/elastalert/smtp_auth_file.yaml'

Inspired by https://github.com/Yelp/elastalert/blob/master/example_rules/example_frequency.yaml