You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
After struggling to try to figure out how to get Playbook emails without having to manually modify every rule once made "active", I have found a solution. Thanks to a few previous Q&A discussions in here, I would like to share my findings with the community. It seems peculiar that this isn't in the standard documentation of SO but maybe it is a 'business' decision not to.
Previously another user had mentioned to edit the file /opt/so/rules/elastalert/playbook/generic.template. But when they let it sit, salt syncs and the file returns to default. In other SO documentation they say to copy default files from /opt/so/saltstack/default/salt/ and place them in /opt/so/saltstack/local/salt/ to make changes permanent. So to setup automated emails for all new playbook alerts the following is needed.
Copy the default template to the local salt path cp /opt/so/saltstack/default/salt/soctopus/files/templates/generic.template /opt/so/saltstack/local/salt/soctopus/files/templates/
Modify that new file to define your email settings like so.
This file will be copied by salt to /opt/so/rules/elastalert/playbook/generic.template.
Validate permissions are correct and check file contents that it matches the previous file we updated. -rw-r--r--. 1 socore socore 696 May 2 21:02 /opt/so/rules/elastalert/playbook/generic.template
Now any rule you activate will have this default email configuration setup. Its pretty large and ugly, I haven't cleaned up the email output yet but this gets you the alerts so IR can take place when not monitoring the dashboard.
NOTE: You will have to disable and re-enable any rules that are already active as they will not have the new configuration.
I hope this helps anyone like it did me and my deployments. And thank you to the SO team for making a great platform we all can benefit from.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
After struggling to try to figure out how to get Playbook emails without having to manually modify every rule once made "active", I have found a solution. Thanks to a few previous Q&A discussions in here, I would like to share my findings with the community. It seems peculiar that this isn't in the standard documentation of SO but maybe it is a 'business' decision not to.
Previously another user had mentioned to edit the file
/opt/so/rules/elastalert/playbook/generic.template. But when they let it sit, salt syncs and the file returns to default. In other SO documentation they say to copy default files from/opt/so/saltstack/default/salt/and place them in/opt/so/saltstack/local/salt/to make changes permanent. So to setup automated emails for all new playbook alerts the following is needed.cp /opt/so/saltstack/default/salt/soctopus/files/templates/generic.template /opt/so/saltstack/local/salt/soctopus/files/templates//opt/so/rules/elastalert/playbook/generic.template.-rw-r--r--. 1 socore socore 696 May 2 21:02 /opt/so/rules/elastalert/playbook/generic.templateNOTE: You will have to disable and re-enable any rules that are already active as they will not have the new configuration.
I hope this helps anyone like it did me and my deployments. And thank you to the SO team for making a great platform we all can benefit from.
Beta Was this translation helpful? Give feedback.
All reactions