I am using metricbeat-6.4.0, elasticsearch-6.4.0, elastalert-0.1.35
I want to set email alerts when any process, suppose notepad++.exe is stopped.
Below is my rule:
realert:
minutes: 60
from_addr: [email protected]
alert_text: "Dear User,\n\t notepad++.exe is not running on server IN-MUM-EADMTOOL for the last 15 minutes"
es_host: linux-a2adm.in.company.com
index: metricbeat-6.4.0-*
smtp_host: ismtp.corp.company.com
type: frequency
es_port: 29200
filter:
term:
beat.hostname: IN-MUM-EADMTOOL
not:
term:
system.process.name: notepad++.exe
timeframe:
minutes: 15
alert: email
name: 93__server__IN-MUM-EADMTOOL__system.process.name__eqnotepad++.exe__1__15
email: ["[email protected]"]
num_events: 1
I am getting below error:
INFO:elastalert:Starting up
WARNING:elasticsearch:GET http://linux-a2adm.in.company:29200/metricbeat-6.4.0-*/_search?_source_include=%40timestamp%2C%2A&ignore_unavailable=true&scroll=30s&size=10000 [status:400 request:0.035s]
ERROR:root:Error running query: RequestError(400, u'parsing_exception', u'no [query] registered for [not]')
INFO:elastalert:Ran 93__server__IN-MUM-EADMTOOL__system.process.name__eqnotepad++.exe__1__15 from 2018-11-09 17:18 India Standard Time to 2018-11-09 17:29 India Standard Time: 0 query hits (0 already seen), 0 matches, 0 alerts sent
INFO:elastalert:Sleeping for 59.895 seconds
Issue with the filter, try using: