Do your rules have this configuration in them at least?

alert:  - email

You may be able to use config.yaml to host your stmpconfig /creds etc for all rules -- but your RULES may still need to be configured with the email alert configuration

Full example:

config.yaml

run_every:  minutes: 1buffer_time:  minutes: 15writeback_index: elastalert_statuslog_file: /var/log/elastalert.logalert_time_limit:  days: 2es_host: lme-elasticsearches_port: 9200start_time: "now"es_username: "elastic"es_password: "your_actual_password_here"use_ssl: trueverify_certs: falserules_folder: /opt/elastalert/rulessmtp_host: internalsmtp.serverIsHere.orgsmtp_port: 25from_addr: "elastalert2@mycompany.org"email: "destination_email@mycompany.org"smtp_auth_file: /opt/lme/config/elastalert2/smtp_auth.yml

creds file:

user: "smtp-username"password: "smtp-password"

example rule showing email configuration:

name: Simple Test Ruletype: anyindex: my-index-*filter:- query:    query_string:      query: "*"alert:  - email

how to use test in container (enter the container)

sudo -i podman exec -it lme-elastalert2 bash

run test script:

elastalert-test-rule /opt/elastalert/rules/alert-name.yaml

• i do recommend using yaml instead of yml
  docs state:

Every file that ends in .yaml in the rules_folder will be run by default. The following configuration settings are common to all types of rules.

I don't have rules in the rules folder other than the ones that were there by default. I was trying to avoid having to create a file for every rule that I've enabled and want to get alerted on (I just want an email for all alerts). Am I mis-understanding what you're suggesting? I did just modify the example-email-rule.yml file and added alert:

• email

Yes, you may be misunderstanding -- when you say rules that you've enabled...what rules?

The rules in the web interface under "Security"

So those are separate from elastalert... those will alert in kibana but they wont do anyting with email/slack/etc unless you use elastalert.

Something i've been experimenting with is this -- tailored to your use case this may be a good test:

add this to the elastalert rules file at /opt/lme/config/elastalert2/rules

# /opt/lme/config/elastalert2/rules/rollup_kibana_alerts.yamlname: Rollup Kibana Native Security Alertstype: anyindex: .alerts-security.alerts-*filter:  - range:      "@timestamp":        gte: "now-5m"  - query_string:      query: "kibana.alert.rule.name:*"realert:  minutes: 0aggregation:  minutes: 0alert:  - emailalert_text_type: alert_text_onlyalert_text: |  🚨 New Security Alert 🚨  Severity: {0}  Host: {1}  Rule: {2}  User: {3}  Action: {4}alert_text_args:  - kibana.alert.severity  - host.name  - kibana.alert.rule.name  - user.name  - event.action

These right here

alert_text_args:

• kibana.alert.severity
• host.name
• kibana.alert.rule.name
• user.name
• event.action

are fields in the json from each alert

so every alert has the field kibana.alert.severity field and it will be low, medium, high, or critical. We use an argument here to say get the severity and then add it to the alert

so your email will start with

severity: high or low or critical - whatever that single alert is

does the same for each of those args

you may have broken the rule by adding the = part to the end of each

I got this working for me doing the following:

created a rule at the following location with the following configuration:

# /opt/lme/config/elastalert2/rules/rollup_kibana_alerts.yamlname: Rollup Kibana Native Security Alertstype: anyindex: .alerts-security.alerts-*filter:  - range:      "@timestamp":        gte: "now-5m"  - query_string:      query: "kibana.alert.rule.name:*"realert:  minutes: 0aggregation:  minutes: 0alert:  - emailalert_text_type: alert_text_onlyalert_text: |  🚨 New Security Alert 🚨  Severity: {0}  Host: {1}  Rule: {2}  User: {3}  Action: {4}alert_text_args:  - kibana.alert.severity  - host.name  - kibana.alert.rule.name  - user.name  - event.actionemail:  - "myemail@gmail.com"smtp_host: "smtp.gmail.com"smtp_port: 465smtp_ssl: truefrom_addr: "elastalert@elastalert.com"smtp_auth_file: /opt/elastalert/misc/smtp_auth.yml

created authentication file at the following location:

# /opt/lme/config/elastalert2/misc/smtp_auth.ymluser: "email@gmail.com"password: "passcode"

My config.yaml

run_every:  minutes: 5buffer_time:  minutes: 15writeback_index: elastalert_statusalert_time_limit:  days: 2es_host: lme-elasticsearches_port: 9200use_ssl: trueverify_certs: falsessl_show_warn: false#exists in the containerrules_folder: /opt/elastalert/rules

restarted elastalert verify its online properly

sudo systemctl restart lme-elastalert.service

logs:

sudo -i podman logs -f lme-elastalert2

You may see warnings about http -- this is fine its just private docker network communications

if its up and running you can force the rule to run:

enter the container:

sudo -i podman exec -it lme-elastalert2 bash

Run elastalert rule:

elastalert --verbose --config /opt/elastalert/config.yaml --rule /opt/elastalert/rules/rollup_kibana_alerts.yml

verify in kibana you actually have an alert generated in the last 5 minutes... if not trigger one then run the command above. Check email

updated location of smtp_auth.yml

on host machine it must go here:

/opt/lme/config/elastalert2/misc/smtp_auth.yml

In this example

Just to clarify how this works.. we have a mount that takes

/opt/lme/config/elastalert2 on the HOST machine and mounts it to /opt/elastalert in the container.

so when you see references to /opt/elastalert in configuration files thats basically a function thats existing INSIDE the container -- but its actually mounted on the host machine to /opt/lme/config/elastalert2

Thanks so much for sharing these configs, etc. that you got working! I copied what you have above and plugged it into my environment and get to the point of trying to enter the container and had issues. The container keeps dropping and restarting every 2-3 seconds so doesn't stay up long enough to get into it. I had this happen when trying to do the configuration based on documentation initially too, so I'm working through which line is causing me issues. I'll post again when I have a better update.

If you configured everything in ElastAlert2 correctly and still have elastalert2 service dropping every 2-3 seconds. make sure you didnt change the default password. that's what happened to me. after I put back the elastic user default password. All alerts started to work.

Awesome! I finally got it working with a few small tweaks...! First with the 2-3 second restart with the elastalert service: When I copy and pasted - it didn't paste quite right. The line with the bomb icons didn't paste at all and the Severity line was indented a little more to the right. After changing those 2 lines - the container stayed up. :)
alert_text: |
🚨 New Security Alert 🚨
Severity: {0}
Host: {1}
Rule: {2}
User: {3}
Action: {4}

I had to work through some issues with our smtp server (but got errors that indicated what was wrong) and now my mailbox is blowing up with alerts! :). Thanks so much for your help!!!

AND i do apologize for my copy and pasting... the icons that get pasted in here is typically something like

:rotating_light: github was just actually changing it into the icon lol because i didn't quote it out

Totally unnecessary addition -- just thought its a nice touch