From 177d7f053455d8c6c5ec2b73f1b2e7fe56710320 Mon Sep 17 00:00:00 2001
From: jurgenhaas <juergen@paragon-es.de>
Date: Fri, 6 May 2016 12:48:20 +0200
Subject: [PATCH] Make Drupal alert queries customizable

---
 defaults/main.yml                              | 10 ++++++++--
 templates/alerts/rules/rule.drupal.apache.yaml |  2 +-
 templates/alerts/rules/rule.drupal.syslog.yaml |  2 +-
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 9209c94..d5c521f 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,6 +1,12 @@
 ES_HEAP_SIZE: 1G
 elastalert_defaults:
   drupal:
-    syslog: []
-    apache: []
+    syslog:
+      query: '@log_name:"syslog.local0.err" OR @log_name:"syslog.local0.crit" OR @log_name:"syslog.local0.alert" OR @log_name:"syslog.local0.emerg"'
+      extra: []
+    apache:
+      query:
+        access: 'code:[500 TO 599]'
+        error: 'level:"*error"'
+      extra: []
 elastalerts: []
diff --git a/templates/alerts/rules/rule.drupal.apache.yaml b/templates/alerts/rules/rule.drupal.apache.yaml
index 42ece02..7499e88 100644
--- a/templates/alerts/rules/rule.drupal.apache.yaml
+++ b/templates/alerts/rules/rule.drupal.apache.yaml
@@ -37,7 +37,7 @@ filter: [
     {
         "query_string": {
             "analyze_wildcard": true,
-            "query": "(@log_name:\"apache.error.var.log.apache2.{{ item.1.domain }}-error.log\" AND level:\"*error\") OR (@log_name:\"apache.access.var.log.apache2.{{ item.1.domain }}-access.log\" AND code:[500 TO 599])"
+            "query": {{ ['(@log_name:"apache.error.var.log.apache2.', item.1.domain, '-error.log" AND (', elastalert_defaults.drupal.apache.query.error, ')) OR (@log_name:"apache.access.var.log.apache2.', item.1.domain, '-access.log" AND (', elastalert_defaults.drupal.apache.query.access, '))']|join("")|to_nice_json }}
         }
     }
 ]
diff --git a/templates/alerts/rules/rule.drupal.syslog.yaml b/templates/alerts/rules/rule.drupal.syslog.yaml
index f79a503..078d3df 100644
--- a/templates/alerts/rules/rule.drupal.syslog.yaml
+++ b/templates/alerts/rules/rule.drupal.syslog.yaml
@@ -37,7 +37,7 @@ filter: [
     {
         "query_string": {
             "analyze_wildcard": true,
-            "query": "ident:{{ item.1.domain }} AND (@log_name:\"syslog.local0.err\" OR @log_name:\"syslog.local0.crit\" OR @log_name:\"syslog.local0.alert\" OR @log_name:\"syslog.local0.emerg\")"
+            "query": {{ ['ident:', item.1.domain, ' AND (', elastalert_defaults.drupal.syslog.query, ')']|join("")|to_nice_json }}
         }
     }
 ]
-- 
GitLab