2.4 Elastalert Yaml

[leealexanderking]

Version

2.4.60

Installation Method

Network installation on Ubuntu

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Meets minimum requirements

CPU

4

RAM

20

Storage for /

1tb

Storage for /nsm

800gb

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Hi, Fresh install of Security Onion 2.4.6 - the last time I properly use in anger was about 10 years ago so things have changed. I am really struggling to get the elastalerts to work sending emails. I have confirmed the connectivity and email account details etc. But when I install a yaml (even tried a version of the cardinality_alerts.yaml that i found linked to one of these forum posts) it kills the so-elastalert status - changes it to missing. a review of elastalert.log only moaned about the smtp_auth_file.txt file path - which I resolved. Now it appears whenever I add any .yaml to the rules it kills the service. Does anyone have a working 2.4 email alerting yaml they could share so I can check where I'm potentially going wrong please?
Many Thanks.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[reyesj2]

There is an example of setting up external email alerting for elastalert rules in the docs at https://docs.securityonion.net/en/2.4/elastalert.html#email-external

Here is an example rule that would send an email anytime the rule.uuid 2100498 is seen. If you are creating your alert using playbook then you need to add the email portion by editing the yaml file in /opt/so/rules/elastalert/playbook/

alert:
- "email"
email:
- "[email protected]"
smtp_host: "smtp.gmail.com"
smtp_port: 465
smtp_ssl: true
from_addr: "[email protected]"
smtp_auth_file: '/opt/elastalert/rules/smtp_auth_file.txt'

- "modules.so.playbook-es.PlaybookESAlerter"

elasticsearch_host: "10.250.0.160:9200"
play_title: "TestNIDS"
play_id: "33520538d"
event.module: "playbook"
event.dataset: "playbook.alert"
event.severity: 4
rule.category: ""
play_url: "https://10.250.0.160/playbook/issues/2212"
kibana_pivot: "https://10.250.0.160/kibana/app/kibana#/discover?_g=()&_a=(columns:!(_source),interval:auto,query:(language:lucene,query:'_id:{[_id]}'),sort:!('@timestamp',desc))"
soc_pivot: "https://10.250.0.160/#/hunt"
sigma_level: "critical"


index: '.ds-logs-*'
name: "TestNIDS - 33520538d"
priority: 3
realert:
  minutes: 0
type: any
filter:
- eql: >
   any where (rule.category : "Potentially Bad Traffic" and rule.uuid : "2100498")

[leealexanderking]

Thank you for taking the time to reply - I am now getting a different error in the std.err log indicating no such file or directory as /opt/so/rules/elastalert/smtp_auth_file.txt . I am now onto diagnosing why this is ocuring. (the file exists).

[witekenea]

is the email portion added in the rule.yaml file (33520538d.yaml in this case) or in the generic.template file? i try adding the email portion in the rule.yaml file but the test will fail