elastalert2已经支持kubernetes或者docker部署的方式
es_host: 10.15.4.121
es_port: 9200
name: failedlogin
type: frequency
index: pro-sec*
num_events: 10
timeframe:
minutes: 1
filter:
- query_string:
query: "message: Failed AND message: password AND message: for"
smtp_host: xxxx.com.mail.protection.partner.outlook.cn
smtp_port: 25
user: notify@example.com
from_addr: notify@example.com
email_reply_to: xxxxx@example.com
realert:
minutes: 30
alert:
- "email"
email:
- "xxxxx@example.com"
alert_text_type: alert_text_only
alert_text: |
Dear Team, the error is aboved 10 in one minute, please take action!
Check time: {}
IP: {}
error Message: "Failed password for"
alert_text_args:
- "@timestamp"
- fields.serverip
- host.name