CSEC_PUBLIC/securityonion
1
0
Fork 0
mirror of https://github.com/Security-Onion-Solutions/securityonion.git synced 2025-12-06 09:12:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
fce22c1cc489e9adb4a08c0e61375cd9f864c0dd
securityonion/salt/elastalert/files/elastalert_config.yaml
Josh Brower ddd099233a Playbook Fixes - Issue #1064
2020-08-06 15:43:45 -04:00

111 lines
3.5 KiB
YAML
Raw Blame History

{% set esip = salt['pillar.get']('manager:mainip', '') %}
{% set esport = salt['pillar.get']('manager:es_port', '') %}
# This is the folder that contains the rule yaml files
# Any .yaml file will be loaded as a rule
rules_folder: /opt/elastalert/rules/
# Sets whether or not ElastAlert should recursively descend
# the rules directory - true or false
scan_subdirectories: true
# Do not disable a rule when an uncaught exception is thrown -
# This setting should be tweaked once the following issue has been fixed
# https://github.com/Security-Onion-Solutions/securityonion-saltstack/issues/98
disable_rules_on_error: false
# How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds
run_every:
minutes: 1
# ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time
buffer_time:
minutes: 5
# The maximum time between queries for ElastAlert to start at the most recently
# run query. When ElastAlert starts, for each rule, it will search elastalert_metadata
# for the most recently run query and start from that time, unless it is older than
# old_query_limit, in which case it will start from the present time. The default is one week.
old_query_limit:
minutes: 5
# The Elasticsearch hostname for metadata writeback
# Note that every rule can have its own Elasticsearch host
es_host: {{ esip }}
# The Elasticsearch port
es_port: {{ esport }}
# Sets timeout for connecting to and reading from es_host
es_conn_timeout: 55
# The maximum number of documents that will be downloaded from Elasticsearch in
# a single query. The default is 10,000, and if you expect to get near this number,
# consider using use_count_query for the rule. If this limit is reached, ElastAlert
# will scroll through pages the size of max_query_size until processing all results.
max_query_size: 5000
# The AWS region to use. Set this when using AWS-managed elasticsearch
#aws_region: us-east-1
# The AWS profile to use. Use this if you are using an aws-cli profile.
# See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
# for details
#profile: test
# Optional URL prefix for Elasticsearch
#es_url_prefix: elasticsearch
# Connect with TLS to Elasticsearch
#use_ssl: True
# Verify TLS certificates
#verify_certs: True
# GET request with body is the default option for Elasticsearch.
# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
# for details
#es_send_get_body_as: GET
# Option basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword
# The index on es_host which is used for metadata storage
# This can be a unmapped index, but it is recommended that you run
# elastalert-create-index to set a mapping
writeback_index: elastalert_status
# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
days: 2
index_settings:
shards: 1
replicas: 0
logging:
version: 1
incremental: false
disable_existing_loggers: false
formatters:
logline:
format: '%(asctime)s %(levelname)+8s %(name)+20s %(message)s'
handlers:
file:
class : logging.FileHandler
formatter: logline
level: INFO
filename: /var/log/elastalert/elastalert.log
loggers:
'':
level: INFO
handlers:
- file
propagate: false
Reference in New Issue View Git Blame Copy Permalink