Elastalert2 restriction on documents

[ishukeshri2712]

Suppose I m administrator of elastalert2 and I given access to someone who ran a query with putting timeframe field so it will query over all the documents in the index I mentioned and it will make load to much on elastalert server, I want to restrict this how to do that? @jertel

[jertel]

I'm not fully understanding the scenario you're describing. Let's try a list of facts:

• You are the admin of the ElastAlert 2 server
• Someone else is creating ElastAlert 2 rules that run on your server? True?
• That person is creating queries in the rules, and the queries are reading indices that do not have timestamps? True?
• The Elasticsearch handles this fine but ElastAlert 2 server is having issues? True?
• If so, what kind of issues?
• You want to prevent users from writing inefficient rules?
• OR you want to prevent users from reading from certain indices in Elasticsearch?
• OR something else?

[ishukeshri2712]

Yes someone else is creating the rules ✔️
That person is creating rules which is query over all the documents in the indices with no timestamp ( like query last five minutes data ) I want to restrict the user from creating a rule which query over all the documents without restricting it in rule. @jertel

[jertel]

ElastAlert 2 doesn't provide any user authorization. Elasticsearch provides index authorization. So if you want to keep people out of certain indices then you can use Kibana to remove a user's access to that index.

Another option is to write a script that validates a rule file contains a timestamp setting and then query Elasticsearch to ensure that the rule's target index contains a field matching that timestamp field specified in the rule.

There are a lot of ways a user can still wreak havoc on your cluster, so this validation script would likely need to constantly be updated to enforce more checks.

[ishukeshri2712]

I m telling that as an admin of ElastAlert how i can restrict the user from not query over all the documents in an index
for example I have a filebeat index which has 500GB of data and if someone create a rule to query over all the documents with no timeframe ( that is in last 5 minutes or 10 minutes if he don't put) it will query over whole 500 GB of data and make elastalert down right so i want the person cannot make this rule. @jertel

[ishukeshri2712]

@jertel plse reply above thread with plse

[nsano-rururu]

The operation method needs to be reviewed.

• Use Elasticsearch Index Lifecycle Management (ILM) to delete indices that have passed a specified period.

Or

• When specifying an index, separate the indexes by index name-date. Close unused indexes.

[nsano-rururu]

The following settings may be related. I have not tried them.

https://elastalert2.readthedocs.io/en/latest/configuration.html#global-configuration

• max_query_size
• max_scrolling_count
• scroll_keepalive
• max_aggregation

[ishukeshri2712]

I tried document level security where i created a user which has access for only last 1 hr log but it comes with platinum license. I m using it with Praeco. @jertel

[ishukeshri2712]

@jertel plse help