I have syslog messages of following type. I want to capture all such messages which contains "errors" in message field of syslog.
<30>Apr 9 04:27:13 ip-172-31-26-235 POSTMETHOD_fx-control-plane.1.k61c5pc0vd89zlrr3uwt7cj82/c720d84be94a[24233]: 2019-04-09 04:27:13.276 WARN 6 --- [ container-2] ingErrorHandler$DefaultExceptionStrategy : Fatal message conversion error; message rejected; it will be dropped or routed to a dead letter exchange, if so configured: (Body:'[B@2ce66e13(byte[3009])' MessageProperties [headers={}, contentType=application/x-java-serialized-object, contentLength=0, receivedDeliveryMode=PERSISTENT, priority=0, redelivered=false, receivedExchange=fx-exchange, receivedRoutingKey=fx-default-response-queue, deliveryTag=87, consumerTag=amq.ctag-wDCsD1_770goBmFKBAOhug, consumerQueue=fx-default-response
For achieving this result, i am using elastalert blacklist rule with following configuration
es_host: elasticsearch
es_port: 9200
es_username: elastic
es_password: changeme
name: Slack blacklist rule
type: blacklist
index: logstash*
compare_key: message
blacklist:
- "error"
realert:
hours: 1
filter:
- query:
query_string:
query: "error"
alert:
- slack
slack_webhook_url: "https://hooks.slack.com/services/******/*****/*******"
slack_username_override: "ElastAlert"
i not able to figure out what is wrong with configuration to achieve my desired result of capturing all messages of syslog with message field containing error.
