ElastAlert and changing E-mail content - elastalert

I've just gotten started with ElastAlert and I love it. I have an application up and running that basically sends me e-mails. My problem now is that the e-mails contain a whole bunch of unnecessary information that I would like to remove.
I've looked around but haven't found any way of doing this. Is there a simple way how I can change the content of my e-mail to make it a bit simpler? Such as specifying exactly which fields I want to see.
Best regards! And thank you in advance.

Example rule config part for custom email content.
alert:
- "email"
alert_text_type: alert_text_only
alert_text: "
Disk Used : {0:.2%}\n
Mount Point : {1}\n
Host : {2}\n
Timestamp : {3}"
alert_text_args: ["system.filesystem.used.pct","system.filesystem.mount_point","beat.hostname","#timestamp"]
email:
- "devops#example.com"
Email Content Sample:
Disk Used : 85.00%
Mount Point : /
Host : example_hostname
Timestamp : 2019-01-14T06:04:46.221Z
Reference

Related

Magento 2 API removes spaces within variables

I am working with orders and invoices.
I noticed M2 (2.4.4) removes lots of spaces in almost all variables eg. for:
order['billing_address']:
'city': 'CHAMPIGNYSURMARNE'
In backend, it's well written 'CHAMPIGNY SUR MARNE'
Idem for :
order['billing_address']
'additional_information': [
'Virementbancaire',
'Votrecommandeseraexpédiéelorsquelevirementdesonmontantseraconfirméparnotreorganismebancaire.\r\nVoustrouvereznoscoordonnéesbancairesdanslaconfirmationdecommandeenvoyéesurvotreboîteemail.'
],
I also noticed that issue doesn't happen in all variables. Even if for the time, I can only see ONE value on witch it doesn't happen :
order['status_histories']
'comment': "Remboursement de 6,00\xa0€ hors ligne. <span style='color:deeppink'>(By Axel B)</span>",
Did anyone else ever noticed this ?
My bad ! I post this answer because maybe, somebody one day could be as dizzy as me.
The reason is I use a new tool for formatting - among others - JSON and XML.
I recommend it to those who do not know it yet : DevToys (Mac an Win).
But it is responsible for my misfortunes because is't it that removes spaces when beautifying. As the file was long, I didn't even have a look a the row file. I've searched in the soft an option that could avoid this behaviour ... without success.

mongodb differences between clients

I'm very confused and I can't seem to find any explanations on the web. windowStart is a ISODate in my documents.
When using the mongodb-java-driver (via the mongoTemplate in Spring) the following works fine...
{windowStart : {$lt : new Date()}}
When I use MongoDb Compass GUI and type the above in the Filter it is marked as not valid. If I change it to...
{windowStart : {$lt : new Date('2018-10-01')}}
...then it is marked as valid and works
Another example...
{windowStart : {$gt : new Date(new Date('2018-10-01').getTime()+1000*60*60*24*64)}}
Does not work in mongodb-java-driver (via the mongoTemplate in Spring).
Does work in MongoDb Compass GUI
So I just can't work out what I can and cannot do. There is something I'm missing about how the client drivers work and the differences? I see lots of examples on the web for searching date ranges etc yet most don't work for me, so again I'm wondering what client they have been written for
In the below script, you will get data between the given date
{windowStart:{$gte:ISODate('2022-12-28'),$lte:ISODate('2022-12-29')}}

Using Environment variables in ElastAlert

I am trying to implement alerts on my data present in elasticsearch using ElastAlert. I would like to know if there is a way to use environment variables or properties file or by exporting the values for changing the fields present in rule types in ElastAlert instead of going and changing the values manually in the rule files to reduce the possibility of an error.
For example, my spike rule configuration looks like this:
name: Event spike
type: spike
index: alerting-logs-*
threshold_cur: 300
timeframe: minutes: 2
spike_height: 2
spike_type: "up"
query_key: HostName
filter:
- query:
query_string: {query: 'smcfsloglevel:ERROR'}
alert:
- "email"
email:
- "someuser#email.com"
Now if I want to change the value of threshold_cur from 300 to, say, 500, can I somehow do it without going to the spike rule file like by exporting like threshold_cur: ${thr_cur}
Does anyone have an idea to achieve this?
Have you tried defining threshold_cur in your main elastalert.yml file?
current_threshold:300
And then in your rule file, reference the threshold_cur value:
threshold_cur: {{current_threshold}}
I am doing something like this in an alert file that sends an email, and it works.

Slack API - Don't notify user when parsing user id

In this message formatting doc: https://api.slack.com/docs/message-formatting, you can use special control sequence characters < and > to perform server-side parsing (server-side as in Slack API's server-side).
So using <#U024BE7LH> in your chat.postMessage() call will get parsed to something like #bob or whatever the username associated with that ID is, in the actual text that shows up in slack.
Unfortunately, this will cause a notification for the person you're referring to. How do I make it so that it doesn't notify the person? I've tried to enclose in a code block, i.e.:
`<#U024BE7LH>`
or
```
<#U024BE7LH>
```
But it still pings. I'm thinking the only way is to get a list of users and parse the name from the ID.
According to this, backticks should work but empirically it hasn't for me. The Slack employee says to just convert the user ID to their name and use that without the templating.
https://forums.slackcommunity.com/s/question/0D73a000005n0OXCAY/detail?language=en_US&fromEmail=1&s1oid=00Dj0000001q028&s1nid=0DB3a000000fxl3&s1uid=0053a00000Ry9cX&s1ext=0&emkind=chatterCommentNotification&emtm=1667894666436&emvtk=fH.W2M01lq9W1cf31RSROPwB7LYs.och8RgbVTqoNlg%3D&t=1667931570045

Salt and managing .ssh/authorized_keys

Salt has a state module to manage .ssh/authorized_keys
https://docs.saltstack.com/en/develop/ref/states/all/salt.states.ssh_auth.html
I am not happy with it, since it combines code and data.
The state file is for me some kind of source code.
The ssh-key is for me data.
I don't want to combine both in one file.
Is there an other solution which separates code and data?
you don't have to put them together in one file:
as per documentation: https://docs.saltstack.com/en/latest/ref/states/all/salt.states.ssh_auth.html
you can use this method:
thatch:
ssh_auth.present:
- user: root
- source: salt://ssh_keys/thatch.id_rsa.pub
- config: /%h/.ssh/authorized_keys
(contrary to the example in the documentation, i get an error if the config: value starts with a '%')
this keeps your keys in their appropriate files and only links them from your code by their filenames.
Please have a look at the OpenSSH Formula. openssh/auth.sls contains the code for a state that pulls all data from a pillar. In the root folder of the formula you find pillar.example that shows how to structure the data for a pillar.
Maybe this formula is a starting point for you.