Playbook - Can't find any Play corresponding to generating rule.uuid

[mskarshinski]

Getting this alert:

Cannot find this Play by ID:

The generated alert's play_url

points to a different play:

I have a couple of alerts like this, maybe 2-3. I've tried grep'ing the /so/rules/elastalert/playbook folder for the ID and didn't find anything. Following the instructions in one of my previous Playbook threads, I backed up and cleared that folder of all .yaml, and have run several so-playbook-syncs and so-playbook-restarts, but I'm like a monkey pulling levers here, I don't know what these commands really do. The so/rules/elastalert/playbook folder finally repopulated itself some time late last night, but I'm not sure of how to force this, or what uses that folder. I'd like to avoid losing the custom plays I've created (I'm assuming that is what so-playbook-reset does?). If I run so-playbook-sigma-refresh it comes back and says a state file exist but that I can force it. Again, trying not to smash things. I'm happy to read documentation but the SO documentation I've read is pretty high-level, apologies if I'm misreading it.

Most helpful would be a description of how a Play makes it through the system. A play created in Playbook is created in an internal Playbook database I'm guessing, where does the yaml folder come into play? Is elastalert reading from the folder or from playbook's database? Somehow I suspect there is a stale entry in a database that is not getting updated.

Thanks in advance and have a good weekend!

[defensivedepth]

Yes, so-playbook-reset will wipe it all, so don't do that unless you have backed up your custom Plays :)

The short version of how this all works:

When a Play is made Active the following happens: An ElastAlert rule is generated, based on the content of the Play, and copied over to the Elastalert rules folder /opt/so/rules/elastalert/playbook

When a Play is edited, the Elastalert rule file is updated as needed.

When a Play is made inactive, the Elastalert rule file is deleted from /opt/so/rules/elastalert/playbook.

Every 3 minutes, Elastalert processes the current files in /opt/so/rules/elastalert/playbook and generates alerts accordingly.

Sometimes things get out of sync - that's where so-playbook-sync comes into the picture - it runs every 5 min and checks to make sure that all active Plays have a corresponding Elastalert rule file, and that inactive Plays are removed from the elastalert folder.

Based on what you posted, it sounds like pulling on some of those levers have caused some inconsistency. I would suggest the following:

• Filter for all Active Plays - confirm that you are not seeing duplicates, etc.
• Delete all the Elastalert files out of /opt/so/rules/elastalert/playbook (the .yaml files)
• Run so-playbook-sync. This will create new elastalert rules only for Active Plays.

Good luck! :)