Getting commands to run through elastalert

[DebianGuru]

I have got elastalert to setup email alerts when we get "critical" level alerts and it works great.

I know this sounds strange, but I've been asked to get 3 duplicate email alerts (one per minute) for certain events. (It's a longs story as to why I want to do that).

So I figured I could get the alert info dumped into a text file and use a simple bash script to email that to me in a for loop, with a delay to get the same email in the fashion I listed above.

The problem is that I can't get the command alert to work. I just want to run a command called "/usr/local/bin/email-alert.sh".

If I put state it like:
alert:

command
command: ["/usr/local/bin/command-alert.sh"]
I get:
Error while running alert command: Error while running command /usr/local/bin/so-alerts.sh: [Errno 2] No such file or directory: '/usr/local/bin/command-alerts.sh'

If I don't specify the full path, I get the same error.

If I omit the brackets, the elastalert.log will say it executed successfully, but the script doesn't appear to run. (If I run the script manually, I get the desired results.)

The scipts permissions are root:root: 755, so It should be executable by elastalert (the user that elastalert runs as). Any other ideas? I tried simple things like inserting "touch /tmp/test.txt" into the script to see if it's running, but nothing seems to happen.

Thanks in advance.

[DebianGuru]

After some digging, I now understand that any commands/scripts on the host will not be available because elastalert is in a container. I see from the docker documents, that I could use a -v option if I were running docker manually. Is there a place I could add this option into SecurityOnion? Thanks.

[DebianGuru]

I discovered that I had to add some lines to: /opt/so/saltstack/default/salt/elastalert/init.sls

It added the following lines under the - binds: section.

• binds:
  • /opt/so/rules/elastalert:/opt/elastalert/rules/:ro
  • /opt/so/log/elastalert:/var/log/elastalert:rw
  • /opt/so/conf/elastalert/modules/:/opt/elastalert/modules/:ro
  • /opt/so/conf/elastalert/elastalert_config.yaml:/opt/elastalert/config.yaml:ro
  • /usr/local/bin/so-alerts.sh:/usr/local/bin/so-alerts.sh:ro
    **- /tmp/elastalert:/tmp/elastalert:rw
  • /usr/sbin/ssmtp:/usr/sbin/ssmtp:ro
  • /etc/ssmtp:/etc/ssmtp/:ro
  • /usr/lib/x86_64-linux-gnu/libgnutls-openssl.so.27:/usr/lib/x86_64-linux-gnu/libgnutls-openssl.so.27:ro
  • /usr/lib/x86_64-linux-gnu/libgnutls-openssl.so.27.0.2:/usr/lib/x86_64-linux-gnu/libgnutls-openssl.so.27.0.2:ro**

Yes, I understand that there could be some security issues with adding read/write to the /tmp/elastalert folder, but in my case, I feel it is minimum. You can decide for yourself.

Of course, you will need to add the appropriate lines for the location of the script you are calling with the "command" alert, as well as any commands called within the script itself.

Hope this helps someone else struggling.