So-elastalert container not starting after restart server

[droshchenko]

Hi,

I have problem with so-elastalert it is started without errors but then docker container exited.
So-status is showing error, after 5 minutes showing missing.

I have added some logs.

Could someone please help me.
Thank you.

Logs:

docker ps -a | grep elastalert
4fb6238b184a so-manager:5000/security-onion-solutions/so-elastalert:2.3.260 "/opt/elastalert/run…" 23 seconds ago Exited (1) 20 seconds ago.

docker logs so-elastalert
/usr/local/lib/python3.10/site-packages/elasticsearch/connection/http_requests.py:134: UserWarning: Connecting to https://172.31.15.200:9200 using SSL with verify_certs=False is insecure.
warnings.warn(
/usr/local/lib/python3.10/site-packages/urllib3/connectionpool.py:1043: InsecureRequestWarning: Unverified HTTPS request is being made to host '172.31.15.200'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
/usr/local/lib/python3.10/site-packages/urllib3/connectionpool.py:1043: InsecureRequestWarning: Unverified HTTPS request is being made to host '172.31.15.200'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings
warnings.warn(
Reading Elastic 8 index mappings:
Reading index mapping 'es_mappings/8/silence.json'
Reading index mapping 'es_mappings/8/elastalert_status.json'
Reading index mapping 'es_mappings/8/elastalert.json'
Reading index mapping 'es_mappings/8/past_elastalert.json'
Reading index mapping 'es_mappings/8/elastalert_error.json'
Index elastalert_status already exists. Skipping index creation.

Nothing critical in elastalert logs cat /opt/so/log/elastalert/elastalert.log
2023-06-23 16:00:50,742 DEBUG /usr/local/lib/python3.10/site-packages/envparse.py Get 'ES_URL_PREFIX' casted as 'None'/'None' with default 'None'
2023-06-23 16:00:50,742 DEBUG /usr/local/lib/python3.10/site-packages/envparse.py Get 'STATSD_INSTANCE_TAG' casted as 'None'/'None' with default 'None'
2023-06-23 16:00:50,742 DEBUG /usr/local/lib/python3.10/site-packages/envparse.py Get 'STATSD_HOST' casted as 'None'/'None' with default 'None'

But cat /opt/so/log/elastalert/stderr.log

expected , but found ''
in "", line 16, column 53:
... ion: "{{winlog.message|default("", true)}}"
^
Traceback (most recent call last):
File "/usr/local/bin/elastalert", line 8, in
sys.exit(main())
File "/usr/local/lib/python3.10/site-packages/elastalert/elastalert.py", line 1862, in main
client = ElastAlerter(args)
File "/usr/local/lib/python3.10/site-packages/elastalert/elastalert.py", line 127, in init
self.rules = self.rules_loader.load(self.conf, self.args)
File "/usr/local/lib/python3.10/site-packages/elastalert/loaders.py", line 166, in load
rule = self.load_configuration(rule_file, conf, args)
File "/usr/local/lib/python3.10/site-packages/elastalert/loaders.py", line 227, in load_configuration
rule = self.load_yaml(filename)
File "/usr/local/lib/python3.10/site-packages/elastalert/loaders.py", line 251, in load_yaml
loaded = self.get_yaml(current_path)
File "/usr/local/lib/python3.10/site-packages/elastalert/loaders.py", line 575, in get_yaml
return read_yaml(filename)
File "/usr/local/lib/python3.10/site-packages/elastalert/yaml.py", line 8, in read_yaml
return yaml.load(yamlContent, Loader=yaml.FullLoader)
File "/usr/local/lib/python3.10/site-packages/yaml/init.py", line 81, in load
return loader.get_single_data()
File "/usr/local/lib/python3.10/site-packages/yaml/constructor.py", line 49, in get_single_data
node = self.get_single_node()
File "/usr/local/lib/python3.10/site-packages/yaml/composer.py", line 36, in get_single_node
document = self.compose_document()
File "/usr/local/lib/python3.10/site-packages/yaml/composer.py", line 55, in compose_document
node = self.compose_node(None, None)
File "/usr/local/lib/python3.10/site-packages/yaml/composer.py", line 84, in compose_node
node = self.compose_mapping_node(anchor)
File "/usr/local/lib/python3.10/site-packages/yaml/composer.py", line 133, in compose_mapping_node
item_value = self.compose_node(node, item_key)
File "/usr/local/lib/python3.10/site-packages/yaml/composer.py", line 84, in compose_node
node = self.compose_mapping_node(anchor)
File "/usr/local/lib/python3.10/site-packages/yaml/composer.py", line 127, in compose_mapping_node
while not self.check_event(MappingEndEvent):
File "/usr/local/lib/python3.10/site-packages/yaml/parser.py", line 98, in check_event
self.current_event = self.state()
File "/usr/local/lib/python3.10/site-packages/yaml/parser.py", line 438, in parse_block_mapping_key
raise ParserError("while parsing a block mapping", self.marks[-1],
yaml.parser.ParserError: while parsing a block mapping
in "", line 14, column 2:
category: "Security Incident"
^
expected , but found ''
in "", line 16, column 53:
... ion: "{{winlog.message|default("", true)}}"
^

[droshchenko]

Docker inspect ->

exit code = 1

[droshchenko]

Last update: killed all integrations, killed related indexes. Service started.