Errno 99 when testing rule with "Send real alerts"

[scott-oit]

If I enable "Send real alerts", I get the following:

Test run error
ERROR:root:Error while running alert email: Error connecting to SMTP host: [Errno 99] Address not available

If I save the rule, it seems to function just fine. I still get alerts like normal. I'm using basic SMTP, no auth, no special port. This is the only thing set in my base_rule.config. I've also tried the IP.

smtp_host: 'smtp.dns.name'
smtp_port: 25

I'm running it Praeco via Docker. Any ideas? Where can I look for logs? I'm hoping it's simple.

Thank you!

[daichi703n]

Hi, @scott-oit
Original ElastAlert (base of servercentral/elastalert)(not Praeco) has some bugs. I faced this issue too and I fixed on my own.
For experimental use, I created fixed image daichi703n/elastalert:0.2.1-dev. If you can test, please replace your elastalert docker image on docker-compose.yml.

Fixed issues

• Can't run test rule with import
• Enable/Disable does not work
• Keep remains deleted rule

I'm continuously testing for merging my fixes to original repo.

[scott-oit]

@daichi703n That is working! Thank you!

[daichi703n]

@scott-oit Great!
Could you please use daichi703n/elastalert:0.2.1-dev2?
I just merged fixing about Alert log does not written, by @jfcantu .

[scott-oit]

I tried it, but I get the following error when testing rules, now. I'm swapped back to daichi703n/elastalert:0.2.1-dev and the error goes away.

Error running your filter:
TypeError("search() got multiple values for argument 'body'",)
INFO:elastalert:Note: In debug mode, alerts will be logged to console but NOT actually sent.
                To send them but remain verbose, use --verbose instead.

[daichi703n]

@scott-oit Thanks. Hmm... I'll re-test. Please use 0.2.1-dev.

[jfcantu]

It appears this is broken in ElastAlert itself.

In elasticsearch-py v7.5.0, they changed up the parameters to the client.search() function:

Old definition: def search(self, index=None, body=None, params=None):
New definition: def search(self, body=None, index=None, doc_type=None, params=None):.

rule_test.py in ElastAlert doesn't pass index as a named parameter (see here) so the change to elasticsearch-py broke that functionality. It appears that this only affects rule_test.py - calls to client.search() in other source files pass index as a named parameters, and aren't affected. I commented about it on this issue, it seems like rule_test.py got overlooked when they were updating ElastAlert to be compatible with elastalert-py 7.5.

[scott-oit]

I'm closing this issue since Praeco isn't the issue.
@daichi703n , let me know if you need me to test any release.

[nsano-rururu]

@daichi703n

I found that the problem that occurs in the @scott-oit environment can be solved by changing the source code of ElastAlert as follows.

test_rules.py

Line86

res = es_client.search(index, size=1, body=query, ignore_unavailable=True)
↓
res = es_client.search(index=index, size=1, body=query, ignore_unavailable=True)

Line112

res = es_client.count(index, doc_type=doc_type, body=count_query, ignore_unavailable=True)
↓
res = es_client.count(index=index, doc_type=doc_type, body=count_query, ignore_unavailable=True)

Line 156

res = es_client.search(index, size=args.max_query_size, body=query, ignore_unavailable=True)
↓
res = es_client.search(index=index, size=args.max_query_size, body=query, ignore_unavailable=True)

[nsano-rururu]

@daichi703n

elasticsearch-py	Test Run	Send real alerts
7.0.0	〇	〇
7.10.0	✖	✖
7.10.0	✖	✖
7.10.0	〇 (fix test_rules.py )	✖
7.10.0	〇 (fix test_rules.py )	〇 (Fix initializing self.thread_data.alerts_sent for running elastalert-test-rule #2991)