ElastAlert isn't Sending Emails & YAML Configuration Reverting to its default State

[raphaeleid]

Version

2.4.90

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

cloud

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

32

Storage for /

500

Storage for /nsm

500

Network Traffic Collection

tap

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I just upgraded to Security Onion 2.4.90 with a Distributed Deployment. All grids are OK, working perfectly. I created Sigma detection rule for Failed SSH logins where elastic-agent is installed, and it is also working perfectly. Im receiving alerts in the alerts section. And the logs are appearing in the hunt section, Kibana, etc.

The only needed step is to make these alerts fire by email. We have an smtp server, working on port 25. We are looking forward to send unauthenticated emails through this smtp server.

What im trying to do is, editing the elastalert_config.yaml under /opt/so/conf/elastalert and adding:

smtp_host: 'my.smtp.server' 
smtp_port: 25
smtp_ssl: false
smtp_auth_file: null
email_reply_to: '[email protected]'
from_addr: '[email protected]'
alert_subject: 'Failed SSH Login'

I am facing multiple issues:

• The first one is that the updated configuration is being pushed sometimes on the so-elastalert docker container under /opt/elastalert/ with file config.yaml
• The second one is that I cannot edit any file inside the docker container as it is read-only, so Im trying to copy the configuration file from /tmp to the docker container.
• The third issue which is the main issue, is that every added configuration line under elastalert_config.yaml or config.yaml (inside the docker container) is removed

Keeping in mind that inside the sigma rule, I added:

alert:
    - "email"
email:
    - '[email protected]'
from_addr: '[email protected]'

What can I do in this case to be able to send the Alerts im receiving in the alerts section, by email, using smtp on port 25 and unauthenticated.

Thanks

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.