File: adding_loaders.rst

package info (click to toggle)
elastalert 0.2.4-3
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 1,472 kB
  • sloc: python: 12,252; makefile: 108; sh: 2
file content (85 lines) | stat: -rw-r--r-- 2,696 bytes parent folder | download | duplicates (2) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
 
.. _loaders:

Rules Loaders
========================

RulesLoaders are subclasses of ``RulesLoader``, found in ``elastalert/loaders.py``. They are used to
gather rules for a particular source. Your RulesLoader needs to implement three member functions, and
will look something like this:

.. code-block:: python

    class AwesomeNewRulesLoader(RulesLoader):
        def get_names(self, conf, use_rule=None):
            ...
        def get_hashes(self, conf, use_rule=None):
            ...
        def get_yaml(self, rule):
            ...

You can import loaders by specifying the type as ``module.file.RulesLoaderName``, where module is the name of a
python module, and file is the name of the python file containing a ``RulesLoader`` subclass named ``RulesLoaderName``.

Example
-------

As an example loader, let's retrieve rules from a database rather than from the local file system. First, create a
modules folder for the loader in the ElastAlert directory.

.. code-block:: console

    $ mkdir elastalert_modules
    $ cd elastalert_modules
    $ touch __init__.py

Now, in a file named ``mongo_loader.py``, add

.. code-block:: python

    from pymongo import MongoClient
    from elastalert.loaders import RulesLoader
    import yaml

    class MongoRulesLoader(RulesLoader):
        def __init__(self, conf):
            super(MongoRulesLoader, self).__init__(conf)
            self.client = MongoClient(conf['mongo_url'])
            self.db = self.client[conf['mongo_db']]
            self.cache = {}

        def get_names(self, conf, use_rule=None):
            if use_rule:
                return [use_rule]

            rules = []
            self.cache = {}
            for rule in self.db.rules.find():
                self.cache[rule['name']] = yaml.load(rule['yaml'])
                rules.append(rule['name'])

            return rules

        def get_hashes(self, conf, use_rule=None):
            if use_rule:
                return [use_rule]

            hashes = {}
            self.cache = {}
            for rule in self.db.rules.find():
                self.cache[rule['name']] = rule['yaml']
                hashes[rule['name']] = rule['hash']

            return hashes

        def get_yaml(self, rule):
            if rule in self.cache:
                return self.cache[rule]

            self.cache[rule] = yaml.load(self.db.rules.find_one({'name': rule})['yaml'])
            return self.cache[rule]

Finally, you need to specify in your ElastAlert configuration file that MongoRulesLoader should be used instead of the
default FileRulesLoader, so in your ``elastalert.conf`` file::

    rules_loader: "elastalert_modules.mongo_loader.MongoRulesLoader"