{% set esip = salt['pillar.get']('master:mainip', '') %} {% set esport = salt['pillar.get']('master:es_port', '') %} # This is the folder that contains the rule yaml files # Any .yaml file will be loaded as a rule rules_folder: /opt/elastalert/rules/ # Sets whether or not ElastAlert should recursively descend # the rules directory - true or false scan_subdirectories: true # Do not disable a rule when an uncaught exception is thrown - # This setting should be tweaked once the following issue has been fixed # https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/98 disable_rules_on_error: false # How often ElastAlert will query Elasticsearch # The unit can be anything from weeks to seconds run_every: minutes: 1 # ElastAlert will buffer results from the most recent # period of time, in case some log sources are not in real time buffer_time: minutes: 1 # The maximum time between queries for ElastAlert to start at the most recently # run query. When ElastAlert starts, for each rule, it will search elastalert_metadata # for the most recently run query and start from that time, unless it is older than # old_query_limit, in which case it will start from the present time. The default is one week. old_query_limit: minutes: 5 # The Elasticsearch hostname for metadata writeback # Note that every rule can have its own Elasticsearch host es_host: {{ esip }} # The Elasticsearch port es_port: {{ esport }} # Sets timeout for connecting to and reading from es_host es_conn_timeout: 60 # The maximum number of documents that will be downloaded from Elasticsearch in # a single query. The default is 10,000, and if you expect to get near this number, # consider using use_count_query for the rule. If this limit is reached, ElastAlert # will scroll through pages the size of max_query_size until processing all results. max_query_size: 5000 # The AWS region to use. Set this when using AWS-managed elasticsearch #aws_region: us-east-1 # The AWS profile to use. Use this if you are using an aws-cli profile. # See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html # for details #profile: test # Optional URL prefix for Elasticsearch #es_url_prefix: elasticsearch # Connect with TLS to Elasticsearch #use_ssl: True # Verify TLS certificates #verify_certs: True # GET request with body is the default option for Elasticsearch. # If it fails for some reason, you can pass 'GET', 'POST' or 'source'. # See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport # for details #es_send_get_body_as: GET # Option basic-auth username and password for Elasticsearch #es_username: someusername #es_password: somepassword # The index on es_host which is used for metadata storage # This can be a unmapped index, but it is recommended that you run # elastalert-create-index to set a mapping writeback_index: elastalert_status # If an alert fails for some reason, ElastAlert will retry # sending the alert until this time period has elapsed alert_time_limit: days: 2 index_settings: shards: 1 replicas: 0