elastalert: new_style_string_format not working anymore

Hello,

Sorry if I don’t respect standards for issues reporting, first one here.

Since 4e8271d9215b9db5cb49e4182985392a099ea7ba (commit which was working), the “new_style_string_format” is not working.

My alert command is the following. It sends messages from auditbeat logs. It was working well before, it is not working anymore. I came back to this commit (4e8271d9215b9db5cb49e4182985392a099ea7ba) and it’s working again.

alert:
- "command"
command: ["/var/lib/elastalert/commands/send_message.sh", "A sudo was executed on {match[beat][name]} : {match[auditd][data][cmd]}"]
new_style_string_format: true

Not working : A sudo was executed on {match[beat][name]} : {match[auditd][data][cmd]} Working : A sudo was executed on vm-log-es01 : /usr/bin/python -m elastalert.elastalert --verbose --config /var/lib/elastalert/config.yaml --rule /var/lib/elastalert/custom-rules/audit-sudo.yaml

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Comments: 18 (8 by maintainers)

Most upvoted comments

Unfortunately the alert text can’t be formatted directly into the command. You have to do a slight workaround using some scripting to convert the stdin to a command line arg.

In alert.sh, add

#!/bin/bash
alert_text=`cat`
some_command "$alert_text"

Then have the command just run alert.sh with pipe_alert_text: true

+2
Qmando on Sep 11, 2018

#1776 will fix this

+1
Qmando on Jul 3, 2018
Read more comments on GitHub
← elastalert: Issue with type:new_term and exceptions
elastalert: Not connecting to office 365 SMTP server →