Elastalert email not emailing.

[2nutz4u]

Version

2.4.100

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

4

RAM

32

Storage for /

293GB

Storage for /nsm

700G

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

No email alerts from elastalert.
Steps I have taken:

1. I followed the documentation https://svr-securityonion/docs/notifications.html
   
   
2. Created a detection rule.
   
3. I do see the alerts in the dashboard but no email.
   

I have tried with and without email authentication.
Did I miss a step?

Please advise. Thank you.

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[TOoSmOotH]

This is a pro feature. You can contact support if you have pro and they can assist in taking a look at this. If you do not own pro you will have to manage Elastalert rules and alerters via the cli by dropping your elastalert rules in /opt/so/saltstack/local/salt/elastalert/files/custom

Please note that this is the exact same way it was done prior to 2.4.70.

[2nutz4u]

Thank you for the clarification. Do you have a sample custom rule or documentation that I can refer to?

[2nutz4u]

Anyone? I have been struggling to get the rule to work.

[TOoSmOotH]

https://docs.securityonion.net/en/2.4/elastalert.html

https://elastalert2.readthedocs.io/en/latest/elastalert.html#overview