Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ENGSUP-1947] Upgrade elastalert #3

Closed
wants to merge 50 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
50 commits
Select commit Hold shift + click to select a range
0e6f73a
Added advanced post alerter.
brianmpollack Jun 25, 2017
43c753a
Don't hardcode to using the rule name when firing a PagerDuty alert. …
Jun 28, 2017
c76de98
Update docs
Jun 28, 2017
48c9d2e
Test using alert_subject instead of the rule name for PagerDuty alerts
Jun 28, 2017
4e0bc09
Merge pull request #1192 from muz/pagerduty_alert_titles
Qmando Jul 6, 2017
2e04533
Refactor timespec parsing to support parsing durations
Jul 7, 2017
7a7be11
Refactor ES version lookup to make it lazy
Jul 7, 2017
87f0c76
Add polling to wait for ElasticSearch to become ready
Jul 7, 2017
4e6103b
Improve diagnostics on ElasticSearch responsiveness test
Jul 7, 2017
f2ff2c0
Lower default patience to keep original behavior
AndreLouisCaron Jul 7, 2017
d2e0abc
Merge pull request #1203 from AndreLouisCaron/wait-for-provisioning
Qmando Jul 7, 2017
d838b7d
Version 0.1.17
Qmando Jul 7, 2017
77f47b5
Add jira_bump_after_inactivity field, only bumps ticket after jira_bu…
Jul 7, 2017
fe781be
AdvancedPostAlerter supports static parameters to be POSTed
brianmpollack Jul 8, 2017
7dd4e28
Merge branch 'master' into feature/advanced_post_alerter
brianmpollack Jul 8, 2017
c414b3d
Added advanced post alerter mapping to config
brianmpollack Jul 8, 2017
3e530cf
Added documentation for advanced alerter
brianmpollack Jul 8, 2017
a75bc13
Remove arrow, use util's ts functions instead
Jul 11, 2017
c428ae1
Merged Advanced and Simple HTTP Alerts
brianmpollack Jul 11, 2017
4275fa6
Updated documentation for HTTP Post alert
brianmpollack Jul 11, 2017
c17aa1d
Merge pull request #1205 from jchuah/jchuah_add_bump_after_inactivity
Qmando Jul 11, 2017
ff64398
Merge pull request #1207 from brianmpollack/feature/advanced_post_ale…
Qmando Jul 11, 2017
4e8b52a
Change post alerter and add some backwards compatability
Qmando Jul 11, 2017
6742cb8
Fixed simple to post compatability
Qmando Jul 11, 2017
ab45844
Merge pull request #1214 from Yelp/fix_post_alerter
Qmando Jul 11, 2017
2430af9
version 0.1.18
Qmando Jul 13, 2017
4a509c5
Support TLS cert and key in email alert
Jul 20, 2017
2529466
make subfield name configurable
bl1nk Jul 21, 2017
f7a96c4
add documentation
bl1nk Jul 21, 2017
50050d7
refactor code to satisfy flake8
bl1nk Jul 21, 2017
a0981ec
further refactoring
bl1nk Jul 22, 2017
cbe9cb7
Update unix_ms to integer
hongjn Jul 24, 2017
455134d
Fix newterm timestamp bug
hongjn Jul 24, 2017
dca40f1
Added a documentation clarification for import
Qmando Jul 27, 2017
6ed0410
Merge pull request #1250 from Yelp/document_clarification
Qmando Jul 27, 2017
f95b265
Updates to timestamp bug fix for new_term rule
Qmando Jul 27, 2017
f747b9d
Merge pull request #1251 from Yelp/timestamp_bug_fix
Qmando Jul 27, 2017
5ff411d
Merge pull request #1241 from bl1nk/configure_string_multi_fields
Qmando Jul 27, 2017
c4accc4
Merge pull request #1238 from sebgl/tls-cert-and-key
Qmando Jul 27, 2017
54d98ff
Don't rerun enhancements on retried alerts
Qmando Aug 3, 2017
11165ff
Changed pending keyword to retried
Qmando Aug 4, 2017
d4ad7f9
Added a test for retried alerts not running enhancements
Qmando Aug 4, 2017
29fd67a
Merge pull request #1263 from Yelp/enhancements_errors
Qmando Aug 4, 2017
4f63242
Add match_time to alert
Aug 6, 2017
3af80bf
Merge pull request #1267 from bitsensor/master
Qmando Aug 7, 2017
61be9f3
Lowered the default bump_after_inactivity settings to 0 days
Qmando Aug 8, 2017
ae1705e
Merge pull request #1275 from Yelp/lower_inactivty_default
Qmando Aug 8, 2017
4b2d197
adds eval function to jira alerter
ytonui Aug 14, 2017
1d77566
Merge pull request #1286 from Yelp/ytonui_eval_config_option_values
Qmando Aug 14, 2017
e54ea66
Version 0.1.19
Qmando Aug 14, 2017
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions changelog.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,34 @@
# Change Log

## v0.1.19

### Added
- Added support for populating JIRA fields via fields in the match
- Added support for using a TLS certificate file for SMTP connections
- Allow a custom suffix for non-analyzed Elasticsearch fields, like ".raw" or ".keyword"
- Added match_time to Elastalert alert documents in Elasticsearch

### Fixed
- Fixed an error in the documentation for rule importing
- Prevent enhancements from re-running on retried alerts
- Fixed a bug when using custom timestamp formats and new term rule
- Lowered jira_bump_after_inactivity default to 0 days

## v0.1.18

### Added
- Added a new alerter "post" based on "simple" which makes POSTS JSON to HTTP endpoints
- Added an option jira_bump_after_inacitivty to prevent ElastAlert commenting on active JIRA tickets

### Removed
- Removed "simple" alerter, replaced by "post"

## v0.1.17

### Added
- Added a --patience flag to allow Elastalert to wait for Elasticsearch to become available
- Allow custom PagerDuty alert titles via alert_subject

## v0.1.16

### Fixed
Expand Down
3 changes: 3 additions & 0 deletions docs/source/elastalert.rst
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,9 @@ The environment variable ``AWS_DEFAULT_PROFILE`` will override this field.
``replace_dots_in_field_names``: If ``True``, ElastAlert replaces any dots in field names with an underscore before writing documents to Elasticsearch.
The default value is ``False``. Elasticsearch 2.0 - 2.3 does not support dots in field names.

``string_multi_field_name``: If set, the suffix to use for the subfield for string multi-fields in Elasticsearch.
The default value is ``.raw`` for Elasticsearch 2 and ``.keyword`` for Elasticsearch 5.

.. _runningelastalert:

Running ElastAlert
Expand Down
49 changes: 45 additions & 4 deletions docs/source/ruletypes.rst
Original file line number Diff line number Diff line change
Expand Up @@ -221,7 +221,8 @@ import

``import``: If specified includes all the settings from this yaml file. This allows common config options to be shared. Note that imported files that aren't
complete rules should not have a ``.yml`` or ``.yaml`` suffix so that ElastAlert doesn't treat them as rules. Filters in imported files are merged (ANDed)
with any filters in the rule. (Optional, string, no default)
with any filters in the rule. You can only have one import per rule, though the imported file can import another file, recursively. The filename
can be an absolute path or relative to the rules directory. (Optional, string, no default)

use_ssl
^^^^^^^
Expand Down Expand Up @@ -1081,7 +1082,7 @@ or
- email
- jira

E-mail subject or JIRA issue summary can also be customized by adding an ``alert_subject`` that contains a custom summary.
E-mail subjects, JIRA issue summaries, and PagerDuty alerts can also be customized by adding an ``alert_subject`` that contains a custom summary.
It can be further formatted using standard Python formatting syntax::

alert_subject: "Issue {0} occurred at {1}"
Expand Down Expand Up @@ -1228,6 +1229,10 @@ STARTTLS.
``smtp_auth_file``: The path to a file which contains SMTP authentication credentials. It should be YAML formatted and contain
two fields, ``user`` and ``password``. If this is not present, no authentication will be attempted.

``smtp_cert_file``: Connect the SMTP host using the given path to a TLS certificate file, default to ``None``.

``smtp_key_file``: Connect the SMTP host using the given path to a TLS key file, default to ``None``.

``email_reply_to``: This sets the Reply-To header in the email. By default, the from address is ElastAlert@ and the domain will be set
by the smtp server.

Expand Down Expand Up @@ -1310,6 +1315,9 @@ Example usage::
jira_bump_in_statuses:
- Open

``jira_bump_after_inactivity``: If this is set, ElastAlert will only comment on tickets that have been inactive for at least this many days.
It only applies if ``jira_bump_tickets`` is true. Default is 0 days.

Arbitrary Jira fields:

ElastAlert supports setting any arbitrary JIRA field that your jira issue supports. For example, if you had a custom field, called "Affected User", you can set it by providing that field name in ``snake_case`` prefixed with ``jira_``. These fields can contain primitive strings or arrays of strings. Note that when you create a custom field in your JIRA server, internally, the field is represented as ``customfield_1111``. In elastalert, you may refer to either the public facing name OR the internal representation.
Expand Down Expand Up @@ -1480,12 +1488,16 @@ The alerter requires the following option:

Optional:

``pagerduty_incident_key``: If not set pagerduty will trigger a new incident for each alert sent. If set to a unique string per rule pagerduty will identify the incident that this event should be applied.
``alert_subject``: If set, this will be used as the Incident description within PagerDuty. If not set, ElastAlert will default to using the rule name of the alert for the incident.

``alert_subject_args``: If set, and ``alert_subject`` is a formattable string, ElastAlert will format the incident key based on the provided array of fields from the rule or match.

``pagerduty_incident_key``: If not set PagerDuty will trigger a new incident for each alert sent. If set to a unique string per rule PagerDuty will identify the incident that this event should be applied.
If there's no open (i.e. unresolved) incident with this key, a new one will be created. If there's already an open incident with a matching key, this event will be appended to that incident's log.

``pagerduty_incident_key_args``: If set, and ``pagerduty_incident_key`` is a formattable string, Elastalert will format the incident key based on the provided array of fields from the rule or match.

``pagerduty_proxy``: By default ElastAlert will not use a network proxy to send notifications to Pagerduty. Set this option using ``hostname:port`` if you need to use a proxy.
``pagerduty_proxy``: By default ElastAlert will not use a network proxy to send notifications to PagerDuty. Set this option using ``hostname:port`` if you need to use a proxy.

Exotel
~~~~~~
Expand Down Expand Up @@ -1614,6 +1626,35 @@ Optional:

The stomp_destination field depends on the broker, the /queue/ALERT example is the nomenclature used by ActiveMQ. Each broker has its own logic.

HTTP POST
~~~~~~~~~

This alert type will send results to a JSON endpoint using HTTP POST. The key names are configurable so this is compatible with almost any endpoint. By default, the JSON will contain al the items from the match, unless you specify http_post_payload, in which case it will only contain those items.

Required:

``http_post_url``: The URL to POST.

Optional:

``http_post_payload``: List of keys:values to use as the content of the POST. Example - ip:clientip will map the value from the clientip index of Elasticsearch to JSON key named ip. If not defined, all the Elasticsearch keys will be sent.

``http_post_static_payload``: Key:value pairs of static parameters to be sent, along with the Elasticsearch results. Put your authentication or other information here.

``http_post_proxy``: URL of proxy, if required.

``http_post_all_values``: Boolean of whether or not to include every key value pair from the match in addition to those in http_post_payload and http_post_static_payload. Defaults to True if http_post_payload is not specified, otherwise False.

Example usage::

alert: post
http_post_url: "http://example.com/api"
http_post_payload:
ip: clientip
http_post_static_payload:
apikey: abc123


Alerter
~~~~~~~

Expand Down
Loading
Loading