Realert not persisted if elastalert is restarted

[BenJeau]

Hi,

Unsure if this is the desired behaviour, but our workflow for adding rules to ElastAlert is to create a new rule, put it in the folder, then restart ElastAlert, but I see some weird behaviour in the rules, such as realert not being respected throughout restarts.

I thought realerts were persisted due to ElastAlert saving to the silence index, I'm guessing that is not true?

If that is the case, what is the way to add new rules or update rules without "breaking" the functionality of the rules? From this section, there's a mention of the run_every field that will reload rules https://elastalert2.readthedocs.io/en/latest/running_elastalert.html#disabling-a-rule - I'm guessing it's not intended for us to restart ElastAlert?

[jertel]

ElastAlert 2 will auto-detect new rules, and modified rules, so there is no need to restart it. It does this by comparing rule file content hashes, not timestamps.

As far as the realert not being respected across restarts, I would expect a rule to remain silenced. When I do my local testing I have to continually change the rule name across restarts to force the alerts to appear, otherwise the alerts remain silenced. It's possible there is something with your particular configuration that prevents this behavior.

[BenJeau]

Thanks for the quick response, turns out it was a problem on my end (global config issue with writeback index)... realert is now working as expected

As for modified rules, that's great that it auto-detect, does it do the same for custom Python modules, e.g. a custom alerter or rules, and imports?

[jertel]

No, it only applies to rule files.