Add alert handler to create Datadog Events

.github/workflows/alt_build_test.yml

@@ -0,0 +1,30 @@
+# This is a basic workflow to help you get started with Actions
+
+name: alt_build_test
+
+# Controls when the action will run. 
+on:
+  # Triggers the workflow on push or pull request events but only for the master branch
+  push:
+    branches: [ alt ]
+  pull_request:
+    branches: [ alt ]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+  # This workflow contains a single job called "build"
+  build:
+    # The type of runner that the job will run on
+    runs-on: ubuntu-latest
+
+    # Steps represent a sequence of tasks that will be executed as part of the job
+    steps:
+      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+      - uses: actions/checkout@v2
+
+      # Runs a single command using the runners shell
+      - name: Build and run tests
+        run: make test-docker

Dockerfile-test

@@ -1,7 +1,9 @@
 FROM ubuntu:latest
 
-RUN apt-get update && apt-get upgrade -y
-RUN apt-get -y install build-essential python3.6 python3.6-dev python3-pip libssl-dev git
+RUN apt update && apt upgrade -y
+RUN apt install software-properties-common -y
+RUN add-apt-repository ppa:deadsnakes/ppa
+RUN apt -y install build-essential python3.9 python3.9-dev python3-pip libssl-dev git
 
 WORKDIR /home/elastalert
 

config.yaml.example

@@ -48,7 +48,6 @@ es_port: 9200
 
 # Use SSL authentication with client certificates client_cert must be
 # a pem file containing both cert and key for client
-#verify_certs: True
 #ca_certs: /path/to/cacert.pem
 #client_cert: /path/to/client_cert.pem
 #client_key: /path/to/client_key.key
@@ -78,38 +77,38 @@ alert_time_limit:
 #    logline:
 #      format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s'
 #
-#    handlers:
-#      console:
-#        class: logging.StreamHandler
-#        formatter: logline
-#        level: DEBUG
-#        stream: ext://sys.stderr
+#  handlers:
+#    console:
+#      class: logging.StreamHandler
+#      formatter: logline
+#      level: DEBUG
+#      stream: ext://sys.stderr
 #
-#      file:
-#        class : logging.FileHandler
-#        formatter: logline
-#        level: DEBUG
-#        filename: elastalert.log
+#    file:
+#      class : logging.FileHandler
+#      formatter: logline
+#      level: DEBUG
+#      filename: elastalert.log
 #
-#    loggers:
-#      elastalert:
-#        level: WARN
-#        handlers: []
-#        propagate: true
+#  loggers:
+#    elastalert:
+#      level: WARN
+#      handlers: []
+#      propagate: true
 #
-#      elasticsearch:
-#        level: WARN
-#        handlers: []
-#        propagate: true
+#    elasticsearch:
+#      level: WARN
+#      handlers: []
+#      propagate: true
 #
-#      elasticsearch.trace:
-#        level: WARN
-#        handlers: []
-#        propagate: true
+#    elasticsearch.trace:
+#      level: WARN
+#      handlers: []
+#      propagate: true
 #
-#      '':  # root logger
-#        level: WARN
-#          handlers:
-#            - console
-#            - file
-#        propagate: false
+#    '':  # root logger
+#      level: WARN
+#      handlers:
+#        - console
+#        - file
+#      propagate: false

docs/README.md

@@ -0,0 +1,12 @@
+# Documentation
+
+You can read this documentation at [Read The Docs][0].
+
+To build a local version of these docs, the following from within the `/docs` directory:
+
+```
+pip install m2r2 sphinx_rtd_theme sphinx
+make html
+```
+
+You can then view the generated HTML in from within the `build/` folder.

docs/source/conf.py

@@ -19,13 +19,13 @@
 # -- General configuration -----------------------------------------------------
 # Add any Sphinx extension module names here, as strings. They can be extensions
 # coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
-extensions = []
+extensions = ["m2r2"]
 
 # Add any paths that contain templates here, relative to this directory.
 templates_path = ['_templates']
 
 # The suffix of source filenames.
-source_suffix = '.rst'
+source_suffix = ['.rst', '.md']
 
 # The encoding of source files.
 # source_encoding = 'utf-8'
@@ -62,6 +62,7 @@
 # List of directories, relative to source directory, that shouldn't be searched
 # for source files.
 exclude_trees = []
+exclude_patterns = ['recipes/*.md']
 
 # The reST default role (used for this markup: `text`) to use for all documents.
 # default_role = None

docs/source/elastalert.rst

@@ -35,14 +35,29 @@ Currently, we have support built in for these alert types:
 - Email
 - JIRA
 - OpsGenie
-- SNS
-- HipChat
+- AWS SNS
+- MS Teams
 - Slack
+- Mattermost
 - Telegram
 - GoogleChat
+- PagerDuty
+- PagerTree
+- Exotel
+- Twilio
+- Splunk On-Call (Formerly VictorOps)
+- Gitter
+- ServiceNow
 - Debug
 - Stomp
+- Alerta
+- HTTP POST
+- Line Notify
 - TheHive
+- Zabbix
+- Discord
+- Dingtalk
+- Chatwork
 
 Additional rule types and alerts can be easily imported or written. (See :ref:`Writing rule types <writingrules>` and :ref:`Writing alerts <writingalerts>`)
 
@@ -203,6 +218,10 @@ The default value is ``.raw`` for Elasticsearch 2 and ``.keyword`` for Elasticse
 
 ``skip_invalid``: If ``True``, skip invalid files instead of exiting.
 
+``jinja_root_name``: When using a Jinja template, specify the name of the root field name in the template. The default is ``_data``.
+
+``jinja_template_path``: When using a Jinja template, specify filesystem path to template, this overrides the default behaviour of using alert_text as the template.
+
 Logging
 -------
 

docs/source/elasticsearch_security_privileges.rst

@@ -0,0 +1,35 @@
+Elasticsearch Security Privileges
+*********************************
+
+While ElastAlert will just work out-of-the-box for unsecured Elasticsearch, it will need a user with a certain set of permissions to work on secure Elasticseach that allow it to read the documents, check the cluster status etc.
+
+SearchGuard Permissions
+=======================
+
+The permissions in Elasticsearch are specific to the plugin being used for RBAC. However, the permissions mentioned here can be mapped easily to different plugins other than Searchguard.
+
+Details about SearchGuard Action Groups: https://docs.search-guard.com/latest/action-groups
+
+
+Writeback Permissions
+---------------------------
+
+For the global config (which writes to the writeback index), you would need to give all permissions on the writeback indices.
+In addition, some permissions related to Cluster Monitor Access are required.
+
+``Cluster Permissions``: CLUSTER_MONITOR, indices:data/read/scroll*
+
+``Index Permissions`` (Over Writeback Indices): INDICES_ALL
+
+
+Per Rule Permissions
+--------------------------
+
+For per rule Elasticsearch config, you would need at least the read permissions on the index you want to query.
+Detailed SearchGuard Permissions:
+
+``Cluster Permissions``: CLUSTER_COMPOSITE_OPS_RO
+
+``Index Permissions`` (Over the index the rule is querying on): READ, indices:data/read/scroll*
+
+

docs/source/index.rst

@@ -15,12 +15,14 @@ Contents:
    running_elastalert
    ruletypes
    elastalert_status
+   elasticsearch_security_privileges
    recipes/adding_rules
    recipes/adding_alerts
    recipes/writing_filters
    recipes/adding_enhancements
    recipes/adding_loaders
    recipes/signing_requests
+   recipes/faq
 
 Indices and Tables
 ==================