so-elastalert-test fails
32 views
Skip to first unread message
Wes Lambert
Feb 14, 2019, 5:00:15 PM2/14/19
to securit...@googlegroups.com
Hi Tim,
I just tried with the current version and it works fine for me.
How are you trying to run it, and what output/errors are you receiving?
Thanks,
Wes
On Thu, Feb 14, 2019 at 4:04 PM Tim Bentley <tim.b...@gmail.com> wrote:
Trying to use so-elastalert-test I found it failed with bash errors even if from the sample rules.
I fixed up the code to work for me. Here is my attached fix
--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
For more options, visit https://groups.google.com/d/optout.
Tim Bentley
Feb 14, 2019, 5:22:22 PM2/14/19
to security-onion
Wes
The error I was getting and still am is this.
/usr/sbin/so-elastalert-test: line 34: [: =: unary operator expected
This is a fully patched SO server.
The output from the run is as follows.
merlin@trinity-ids:/etc/elastalert/rules$ sudo so-elastalert-test
This script will allow you to test an elastalert rule.
Note: The rule must be accessable by the elastalert docker container.
Please enter the file path and rule name you want to test.
/etc/elastalert/rules/
bro_conn.yaml change.yaml flatline.yaml ids.yaml new_term.yaml trinity1.yaml
/etc/elastalert/rules/flatline.yaml
The results can be rather long. Would you like to write the results to a file? (Y/N)
/usr/sbin/so-elastalert-test: line 34: [: =: unary operator expected
The error I was getting and still am is this.
/usr/sbin/so-elastalert-test: line 34: [: =: unary operator expected
This is a fully patched SO server.
The output from the run is as follows.
merlin@trinity-ids:/etc/elastalert/rules$ sudo so-elastalert-test
This script will allow you to test an elastalert rule.
Note: The rule must be accessable by the elastalert docker container.
Please enter the file path and rule name you want to test.
/etc/elastalert/rules/
bro_conn.yaml change.yaml flatline.yaml ids.yaml new_term.yaml trinity1.yaml
/etc/elastalert/rules/flatline.yaml
The results can be rather long. Would you like to write the results to a file? (Y/N)
/usr/sbin/so-elastalert-test: line 34: [: =: unary operator expected
Wes Lambert
Feb 14, 2019, 5:58:32 PM2/14/19
to securit...@googlegroups.com
Hi Tim,
Okay, I can see that if you don't provide any input to the log file prompt it throw an error about the unary operator being expected, however, the modified version you've provided currently creates an improper condition for the log file save portion, so I've updated the script as follows:
Thanks,
Wes
Tim Bentley
Feb 24, 2019, 4:03:14 AM2/24/19
to security-onion
Reply all
Reply to author
Forward
0 new messages