How to Include Mutliple Lines in Elastalaert Rules File

[MohdRashid01]

Hi All,

This is the elastalert container logs when using json file as logging driver.

08:48:47.231Z ERROR elastalert-server:
    ProcessController:  ERROR:root:Error writing alert info to Elasticsearch: AuthorizationException(403, u'cluster_block_exception', u'blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];')
    Traceback (most recent call last):
      File "/opt/elastalert/elastalert/elastalert.py", line 1578, in writeback
        res = self.writeback_es.index(index=index, body=body)
      File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.2-py2.7.egg/elasticsearch/client/utils.py", line 84, in _wrapped
        return func(*args, params=params, **kwargs)
      File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.2-py2.7.egg/elasticsearch/client/__init__.py", line 364, in index
        "POST", _make_path(index, doc_type, id), params=params, body=body
      File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.2-py2.7.egg/elasticsearch/transport.py", line 353, in perform_request
        timeout=timeout,
      File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.2-py2.7.egg/elasticsearch/connection/http_requests.py", line 155, in perform_request
        self._raise_error(response.status_code, raw_data)
      File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.2-py2.7.egg/elasticsearch/connection/base.py", line 178, in _raise_error
        status_code, error_message, additional_info
    AuthorizationException: AuthorizationException(403, u'cluster_block_exception', u'blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];')

The same type of error logs elastalert container when using logging driver as syslog

10:53:53.380Z ERROR elastalert-server:
May 31 10:53:53 hetzner-3 monitoring_elastalert.1.z1pk02hmsh5lpcuc5cbql6ldg/d597413c7fe5[14486]:     ProcessController:  ERROR:root:Error writing alert info to Elasticsearch: AuthorizationException(403, u'cluster_block_exception', u'blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];')
May 31 10:53:53 hetzner-3 monitoring_elastalert.1.z1pk02hmsh5lpcuc5cbql6ldg/d597413c7fe5[14486]:     Traceback (most recent call last):
May 31 10:53:53 hetzner-3 monitoring_elastalert.1.z1pk02hmsh5lpcuc5cbql6ldg/d597413c7fe5[14486]:       File "/opt/elastalert/elastalert/elastalert.py", line 1578, in writeback
May 31 10:53:53 hetzner-3 monitoring_elastalert.1.z1pk02hmsh5lpcuc5cbql6ldg/d597413c7fe5[14486]:         res = self.writeback_es.index(index=index, body=body)
May 31 10:53:53 hetzner-3 monitoring_elastalert.1.z1pk02hmsh5lpcuc5cbql6ldg/d597413c7fe5[14486]:       File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.2-py2.7.egg/elasticsearch/client/utils.py", line 84, in _wrapped
May 31 10:53:53 hetzner-3 monitoring_elastalert.1.z1pk02hmsh5lpcuc5cbql6ldg/d597413c7fe5[14486]:         return func(*args, params=params, **kwargs)
May 31 10:53:53 hetzner-3 monitoring_elastalert.1.z1pk02hmsh5lpcuc5cbql6ldg/d597413c7fe5[14486]:       File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.2-py2.7.egg/elasticsearch/client/__init__.py", line 364, in index
May 31 10:53:53 hetzner-3 monitoring_elastalert.1.z1pk02hmsh5lpcuc5cbql6ldg/d597413c7fe5[14486]:         "POST", _make_path(index, doc_type, id), params=params, body=body
May 31 10:53:53 hetzner-3 monitoring_elastalert.1.z1pk02hmsh5lpcuc5cbql6ldg/d597413c7fe5[14486]:       File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.2-py2.7.egg/elasticsearch/transport.py", line 353, in perform_request
May 31 10:53:53 hetzner-3 monitoring_elastalert.1.z1pk02hmsh5lpcuc5cbql6ldg/d597413c7fe5[14486]:         timeout=timeout,
May 31 10:53:53 hetzner-3 monitoring_elastalert.1.z1pk02hmsh5lpcuc5cbql6ldg/d597413c7fe5[14486]:       File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.2-py2.7.egg/elasticsearch/connection/http_requests.py", line 155, in perform_request
May 31 10:53:53 hetzner-3 monitoring_elastalert.1.z1pk02hmsh5lpcuc5cbql6ldg/d597413c7fe5[14486]:         self._raise_error(response.status_code, raw_data)
May 31 10:53:53 hetzner-3 monitoring_elastalert.1.z1pk02hmsh5lpcuc5cbql6ldg/d597413c7fe5[14486]:       File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.2-py2.7.egg/elasticsearch/connection/base.py", line 178, in _raise_error
May 31 10:53:53 hetzner-3 monitoring_elastalert.1.z1pk02hmsh5lpcuc5cbql6ldg/d597413c7fe5[14486]:         status_code, error_message, additional_info
May 31 10:53:53 hetzner-3 monitoring_elastalert.1.z1pk02hmsh5lpcuc5cbql6ldg/d597413c7fe5[14486]:     AuthorizationException: AuthorizationException(403, u'cluster_block_exception', u'blocked by: [FORBIDDEN/12/index read-only / allow delete (api)];')
May 31 10:53:53 hetzner-3 monitoring_elastalert.1.z1pk02hmsh5lpcuc5cbql6ldg/d597413c7fe5[14486]: 

Above both log are pretty much same one log elastalert container(Or could be any container log like postgres, mysql etc) except that when i use syslog as logging driver that log is coming in multiple lines.

So if used elastalert any rule with query parameter as exception(it could be any keyword that we want to capture) for message field, i get only line of error(filter) log not all lines(stacktrace of that log) in my elastalert email/slack alert.

This type of email is coming in email alert

So how include all lines of that particular filer error/exception log in elastalert email/slack alert.

[nsano-rururu]

If you have any questions about bitsensor/elastalert, please check with the developer.
https://github.com/bitsensor/elastalert

[MohdRashid01]

i ask in logstash community but they told me that u need to ask in elastalert

[nsano-rururu]

I'm not a friend of you.

[nsano-rururu]

It ’s your job, is n’t it?

[nsano-rururu]

Don't get me wrong

[nsano-rururu]

I'm not using elastalert2 or logstash.