From 0d9ff759611d5c0720726612a5bb6910c4f6f83c Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 4 Jan 2018 13:30:38 +0000 Subject: [PATCH 1/2] allow elastalert to query across clusters --- etc/elastalert/rules/bro_conn.yaml | 2 +- etc/elastalert/rules/ids.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/etc/elastalert/rules/bro_conn.yaml b/etc/elastalert/rules/bro_conn.yaml index e14718e..7eeef01 100644 --- a/etc/elastalert/rules/bro_conn.yaml +++ b/etc/elastalert/rules/bro_conn.yaml @@ -15,7 +15,7 @@ type: frequency # (Required) # Index to search, wildcard supported -index: logstash-bro* +index: "*:logstash-bro*" use_strftime_index: true diff --git a/etc/elastalert/rules/ids.yaml b/etc/elastalert/rules/ids.yaml index 15f1aab..54ddf1d 100644 --- a/etc/elastalert/rules/ids.yaml +++ b/etc/elastalert/rules/ids.yaml @@ -3,7 +3,7 @@ es_host: elasticsearch es_port: 9200 name: Security Onion ElastAlert - New IDS Event! type: frequency -index: logstash-ids* +index: "*:logstash-ids*" num_events: 1 timeframe: minutes: 1 From f9e11f06e8a1c1d41e7773b96588160c15abc73d Mon Sep 17 00:00:00 2001 From: Wes Lambert Date: Thu, 4 Jan 2018 13:32:22 +0000 Subject: [PATCH 2/2] disable elastalert if running on sensor only --- usr/sbin/sosetup-elastic | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/usr/sbin/sosetup-elastic b/usr/sbin/sosetup-elastic index ecc0856..ca66dd9 100755 --- a/usr/sbin/sosetup-elastic +++ b/usr/sbin/sosetup-elastic @@ -2024,7 +2024,12 @@ EOF echo "# Please wait while stopping and disabling Kibana..." | tee -a $LOG docker stop so-kibana >> $LOG 2>&1 sed -i 's|KIBANA_ENABLED="yes"|KIBANA_ENABLED="no"|g' $CONF - + + echo "91" + echo "# Please wait while stopping and disabling ElastAlert..." | tee -a $LOG + docker stop so-elastalert >> $LOG 2>&1 + sed -i 's|ELASTALERT_ENABLED="yes"|ELASTALERT_ENABLED="no"|g' $CONF + echo "93" echo "# Please wait while stopping and disabling MySQL..." | tee -a $LOG service mysql stop >> $LOG 2>&1