Rules defining

[Raksniru]

This is my rules.yaml file

data:
elastalert.yaml: |-
name: check this out
type: frequency
index: cloud-*
num_events: 2
timeframe:
minutes: 1
filter:
- query:
query_string:
query: "bad AND certificate"
default_field: log
- query:
query_string:
query: "unable AND to AND get AND control AND connection AND for AND device"
default_field: log
- query:
query_string:
query: "Stream AND is AND nil"
default_field: log
- query:
query_string:
query: "certificate AND has AND expired AND or AND is AND not AND yet AND valid"
default_field: log
alert:
- "googlechat"
googlechat_webhook_url: "***********"
alert_text: |
Failure point-log: {0}
Timestamp: {2}
Pod: {1}
Namespace: {3}
Container: {4}
alert_text_type: alert_text_only
alert_text_args: ["log","Pod","@timestamp","Namespace","Container_ID"]

The trigger is not fired on on google hangout , i seee this log multiple times "certificate has expired or is not yet valid"

And my log on kibana is

*1|ERROR|2021/06/02 08:12:24.289688|warpClient: Handshake: [some ip] x509: certificate has expired or is not yet valid: current time 2021-06-02T08:12:24Z is after 2020-10-16T16:50:46Z

[jertel]

I suggest enabling debug on ElastAlert 2, this will give you more information on what's going on. Also remove all queries except for the one you know should match, to simplify your rule while you troubleshoot. Once you get it working you can slowly add back more complexity to your rule to find out what's breaking it.

[Raksniru]

apiVersion: v1
kind: ConfigMap
metadata:
name: logstash-rule
namespace:
labels:
k8s-app: elastalert
data:
elastalert.yaml: |-
name: check this out
type: frequency
index: cloud-*
num_events: 2
timeframe:
minutes: 1
filter:
- query:
query_string:
query: "INFO"
default_field: log
alert:
- "googlechat"
googlechat_webhook_url:
alert_text: |
Failure point-log: {0}
Timestamp: {2}
Pod: {1}
Namespace: {3}
Container: {4}
alert_text_type: alert_text_only
alert_text_args: ["log","Pod","@timestamp","Namespace","Container_ID"]
elastalert-TEST.yaml: |-
name: check this out
type: frequency
index: cloud-*
num_events: 2
timeframe:
minutes: 1
filter:
- query:
query_string:
query: "ERROR"
default_field: log
alert:
- "googlechat"
googlechat_webhook
alert_text: |
Failure point-log: {0}
Timestamp: {2}
Pod: {1}
Namespace: {3}
Container: {4}
alert_text_type: alert_text_only
alert_text_args: ["log","Pod","@timestamp","Namespace","Container_ID"]

[Raksniru]

will this work , i have two data files for two queries ....

[nsano-rururu]

Isn't it possible to write the settings of multiple rule files like the following? .. I don't know

apiVersion: v1
kind: ConfigMap
metadata:
name: logstash-rule
namespace:
labels:
k8s-app: elastalert
data:
rule1.yaml: |-

～Rule 1 settings ～

rule2.yaml: |-

～Rule 2 settings ～

rule3.yaml: |-

～Rule 3 settings ～

[Raksniru]

i will try with this method and will check n update

[Raksniru]

The above format you suggested throws an error stating "Rule2.yaml" is duplicated