elastalert to elastic indices creation error

[William Plessinger]

Hi Team,

I am testing playbook functionality. I've setup a play and activated it. The template shows up in the hive and the elastalert rule shows up in "/opt/so/rules/elastalert/playbook/". When watching the log "tail -f /opt/so/log/elastalert/elastalert.log" I see the play being executed and matches are found but I'm getting the log

"2020-09-02 02:22:29,641    ERROR                 root Uncaught exception running rule wdp2 play - 759201939: HTTPConnectionPool(host='sec2', port=9200): Max retries exceeded with url: /so-playbook-alerts-2020.09.02/_doc/ (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7ff4525432b0>: Failed to establish a new connection: [Errno -2] Name does not resolve',))
"

When I look in Kibana for any indices with "so-playbook-*" I don't see that any have been created.

I believe that the creation of the indice happens within playbook-es.py:

cat /opt/so/conf/elastalert/modules/so/playbook-es.py | grep "so-playbook-alerts"
            url = f"http://{self.rule['elasticsearch_host']}/so-playbook-alerts-{today}/_doc/"

Any ideas how I may have messed up my setup during initial build or otherwise?

[William Plessinger]

I rebuilt the so server and chose fqdn for the certs during setup and now playbook->elastalert->so-playbook-alerts and hive cases are being created. I don't know that this was the fix action but it works now.

The alert pipeline is awesome! Thankyou for the great work!