From d123a4e5a094bf09079d71414d494165fdcd570f Mon Sep 17 00:00:00 2001 From: Ryan Goggin Date: Wed, 9 Nov 2022 15:27:42 -0500 Subject: [PATCH 1/4] Add realert key to rule configuration --- docs/source/ruletypes.rst | 8 ++++++++ elastalert/elastalert.py | 2 +- elastalert/loaders.py | 1 + elastalert/schema.yaml | 1 + tests/conftest.py | 1 + 5 files changed, 12 insertions(+), 1 deletion(-) diff --git a/docs/source/ruletypes.rst b/docs/source/ruletypes.rst index c5d9f547..c38abd58 100644 --- a/docs/source/ruletypes.rst +++ b/docs/source/ruletypes.rst @@ -88,6 +88,8 @@ Rule Configuration Cheat Sheet +--------------------------------------------------------------+ | | ``realert`` (time, default: 1 min) | | +--------------------------------------------------------------+ | +| ``realert_key`` (string, defaults to the rule name) | | ++--------------------------------------------------------------+ | | ``exponential_realert`` (time, no default) | | +--------------------------------------------------------------+ | | ``match_enhancements`` (list of strs, no default) | | @@ -495,6 +497,12 @@ This is applied to the time the alert is sent, not to the time of the event. It that if ElastAlert 2 is run over a large time period which triggers many matches, only the first alert will be sent by default. If you want every alert, set realert to 0 minutes. (Optional, time, default 1 minute) +realert_key +^^^^^^^^^^^ + +``realert_key``: This option allows you to customize the key for ``realert``. The default is the rule name, but if you have multiple rules that +you would like to use the same key for you can set the ``realert_key`` to be the same in those rules. (Optional, string, default is the rule name) + exponential_realert ^^^^^^^^^^^^^^^^^^^ diff --git a/elastalert/elastalert.py b/elastalert/elastalert.py index dd92d5b1..e78b90a8 100755 --- a/elastalert/elastalert.py +++ b/elastalert/elastalert.py @@ -880,7 +880,7 @@ def run_rule(self, rule, endtime, starttime=None): # If realert is set, silence the rule for that duration # Silence is cached by query_key, if it exists # Default realert time is 0 seconds - silence_cache_key = rule['name'] + silence_cache_key = rule['realert_key'] query_key_value = self.get_query_key_value(rule, match) if query_key_value is not None: silence_cache_key += '.' + query_key_value diff --git a/elastalert/loaders.py b/elastalert/loaders.py index 57d4dabd..5fab193d 100644 --- a/elastalert/loaders.py +++ b/elastalert/loaders.py @@ -333,6 +333,7 @@ def load_options(self, rule, conf, filename, args=None): rule.setdefault(key, val) rule.setdefault('name', os.path.splitext(filename)[0]) rule.setdefault('realert', datetime.timedelta(seconds=0)) + rule.setdefault('realert_key', rule['name']) rule.setdefault('aggregation', datetime.timedelta(seconds=0)) rule.setdefault('query_delay', datetime.timedelta(seconds=0)) rule.setdefault('timestamp_field', '@timestamp') diff --git a/elastalert/schema.yaml b/elastalert/schema.yaml index 2e4f55f7..e513f461 100644 --- a/elastalert/schema.yaml +++ b/elastalert/schema.yaml @@ -237,6 +237,7 @@ properties: - type: string aggregation: *timeframe realert: *timeframe + realert_key: {type: string} exponential_realert: *timeframe buffer_time: *timeframe diff --git a/tests/conftest.py b/tests/conftest.py index 3a646584..64e25546 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -111,6 +111,7 @@ def ea(): 'include': ['@timestamp'], 'aggregation': datetime.timedelta(0), 'realert': datetime.timedelta(0), + 'realert_key': 'anytest', 'processed_hits': {}, 'timestamp_field': '@timestamp', 'match_enhancements': [], From 0881d1ffeb81c49a652c8d16265e1f801f6dcdb5 Mon Sep 17 00:00:00 2001 From: Ryan Goggin Date: Wed, 9 Nov 2022 15:42:06 -0500 Subject: [PATCH 2/4] Update CHANGELOG --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 53ba260b..f221444f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ - None ## New features -- None +- Add `realert_key` option to override the `silence_cache_key`. Allowing the reuse of cache keys for different rules that might trigger the same actions (lockout account, etc) ## Other changes - Upgrade pylint 2.15.3 to 2.15.5, pytest 7.1.3 to 7.2.0, pytest-xdist 2.5.0 to 3.0.2, sphinx 5.2.3 to 5.3.0, tox 3.26.0 to 3.27.0 - [#988](https://github.com/jertel/elastalert2/pull/988) - @nsano-rururu From e104bb6bb5965302093c1f97c5b1dc990a9a52e5 Mon Sep 17 00:00:00 2001 From: Ryan Goggin Date: Wed, 9 Nov 2022 16:05:15 -0500 Subject: [PATCH 3/4] If running silence with query, use realert key --- elastalert/elastalert.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/elastalert/elastalert.py b/elastalert/elastalert.py index e78b90a8..65d0ce7b 100755 --- a/elastalert/elastalert.py +++ b/elastalert/elastalert.py @@ -1675,7 +1675,7 @@ def silence(self, silence_cache_key=None): # With --rule, self.rules will only contain that specific rule if not silence_cache_key: if self.args.silence_qk_value: - silence_cache_key = self.rules[0]['name'] + "." + self.args.silence_qk_value + silence_cache_key = self.rules[0]['realert_key'] + "." + self.args.silence_qk_value else: silence_cache_key = self.rules[0]['name'] + "._silence" From b0ddf9e007f5e6cebe55c5df4d3d5a72f2e07ebf Mon Sep 17 00:00:00 2001 From: Jason Ertel Date: Thu, 10 Nov 2022 18:34:04 -0500 Subject: [PATCH 4/4] Correct changelog entry format --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f221444f..bd2788cf 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,7 +4,7 @@ - None ## New features -- Add `realert_key` option to override the `silence_cache_key`. Allowing the reuse of cache keys for different rules that might trigger the same actions (lockout account, etc) +- Add `realert_key` option to silence groups of alerts - [#1004](https://github.com/jertel/elastalert2/pull/1004) - @goggin ## Other changes - Upgrade pylint 2.15.3 to 2.15.5, pytest 7.1.3 to 7.2.0, pytest-xdist 2.5.0 to 3.0.2, sphinx 5.2.3 to 5.3.0, tox 3.26.0 to 3.27.0 - [#988](https://github.com/jertel/elastalert2/pull/988) - @nsano-rururu