def run_rule_test(self):
""" Uses args to run the various components of MockElastAlerter such as loading the file, saving data, loading data, and running. """
parser = argparse.ArgumentParser(description='Validate a rule configuration')
parser.add_argument('file', metavar='rule', type=str, help='rule configuration filename')
parser.add_argument('--schema-only', action='store_true', help='Show only schema errors; do not run query')
parser.add_argument('--days', type=int, default=1, action='store', help='Query the previous N days with this rule')
parser.add_argument('--data', type=str, metavar='FILENAME', action='store', dest='json', help='A JSON file containing data to run the rule against')
parser.add_argument('--alert', action='store_true', help='Use actual alerts instead of debug output')
parser.add_argument('--save-json', type=str, metavar='FILENAME', action='store', dest='save', help='A file to which documents from the last day or --days will be saved')
parser.add_argument('--count-only', action='store_true', dest='count', help='Only display the number of documents matching the filter')
parser.add_argument('--config', action='store', dest='config', help='Global config file.')
args = parser.parse_args()
rule_yaml = load_rule_yaml(args.file)
conf = self.load_conf(rule_yaml, args)
if args.json:
with open(args.json, 'r') as data_file:
self.data = simplejson.loads(data_file.read())
else:
hits = self.test_file(copy.deepcopy(rule_yaml), args)
if hits and args.save:
with open(args.save, 'wb') as data_file:
# Add _id to _source for dump
[doc['_source'].update({'_id': doc['_id']}) for doc in hits]
data_file.write(simplejson.dumps([doc['_source'] for doc in hits], indent=' '))
if not args.schema_only and not args.count:
self.run_elastalert(rule_yaml, conf, args)
def run_rule_test(self):
"""
Uses args to run the various components of MockElastAlerter such as loading the file, saving data, loading data, and running.
"""
parser = argparse.ArgumentParser(description='Validate a rule configuration')
parser.add_argument('file', metavar='rule', type=str, help='rule configuration filename')
parser.add_argument('--schema-only', action='store_true', help='Show only schema errors; do not run query')
parser.add_argument('--days', type=int, default=1, action='store', help='Query the previous N days with this rule')
parser.add_argument('--stop-error', action='store_true', help='Stop the entire test right after the first error')
parser.add_argument(
'--data',
type=str,
metavar='FILENAME',
action='store',
dest='json',
help='A JSON file containing data to run the rule against')
parser.add_argument('--alert', action='store_true', help='Use actual alerts instead of debug output')
parser.add_argument(
'--save-json',
type=str,
metavar='FILENAME',
action='store',
dest='save',
help='A file to which documents from the last day or --days will be saved')
parser.add_argument(
'--count-only',
action='store_true',
dest='count',
help='Only display the number of documents matching the filter')
parser.add_argument('--config', action='store', dest='config', help='Global config file.')
args = parser.parse_args()
rule_yaml = load_rule_yaml(args.file)
conf = self.load_conf(rule_yaml, args)
if args.json:
with open(args.json, 'r') as data_file:
self.data = simplejson.loads(data_file.read())
else:
hits = self.test_file(copy.deepcopy(rule_yaml), args)
if hits and args.save:
with open(args.save, 'wb') as data_file:
# Add _id to _source for dump
[doc['_source'].update({'_id': doc['_id']}) for doc in hits]
data_file.write(simplejson.dumps([doc['_source'] for doc in hits], indent=' '))
if not args.schema_only and not args.count:
self.run_elastalert(rule_yaml, conf, args)
def run_rule_test(self):
"""
Uses args to run the various components of MockElastAlerter such as loading the file, saving data, loading data, and running.
"""
parser = argparse.ArgumentParser(
description='Validate a rule configuration')
parser.add_argument('file',
metavar='rule',
type=str,
help='rule configuration filename')
parser.add_argument('--schema-only',
action='store_true',
help='Show only schema errors; do not run query')
parser.add_argument('--days',
type=int,
default=1,
action='store',
help='Query the previous N days with this rule')
parser.add_argument(
'--start',
dest='start',
help='YYYY-MM-DDTHH:MM:SS Start querying from this timestamp.')
parser.add_argument(
'--end',
dest='end',
help=
'YYYY-MM-DDTHH:MM:SS Query to this timestamp. (Default: present) '
'Use "NOW" to start from current time. (Default: present)')
parser.add_argument(
'--stop-error',
action='store_true',
help='Stop the entire test right after the first error')
parser.add_argument('--formatted-output',
action='store_true',
help='Output results in formatted JSON')
parser.add_argument(
'--data',
type=str,
metavar='FILENAME',
action='store',
dest='json',
help='A JSON file containing data to run the rule against')
parser.add_argument('--alert',
action='store_true',
help='Use actual alerts instead of debug output')
parser.add_argument(
'--save-json',
type=str,
metavar='FILENAME',
action='store',
dest='save',
help=
'A file to which documents from the last day or --days will be saved'
)
parser.add_argument('--use-downloaded',
action='store_true',
dest='use_downloaded',
help='Use the downloaded ')
parser.add_argument('--max-query-size',
type=int,
default=10000,
action='store',
dest='max_query_size',
help='Maximum size of any query')
parser.add_argument(
'--count-only',
action='store_true',
dest='count',
help='Only display the number of documents matching the filter')
parser.add_argument('--config',
action='store',
dest='config',
help='Global config file.')
args = parser.parse_args()
rule_yaml = load_rule_yaml(args.file)
conf = self.load_conf(rule_yaml, args)
if args.json:
with open(args.json, 'r') as data_file:
self.data = json.loads(data_file.read())
else:
hits = self.test_file(copy.deepcopy(rule_yaml), args)
if hits and args.formatted_output:
self.formatted_output['results'] = json.loads(json.dumps(hits))
if hits and args.save:
with open(args.save, 'wb') as data_file:
# Add _id to _source for dump
[
doc['_source'].update({'_id': doc['_id']})
for doc in hits
]
data_file.write(
json.dumps([doc['_source'] for doc in hits], indent=4))
if args.use_downloaded:
if hits:
args.json = args.save
with open(args.json, 'r') as data_file:
self.data = json.loads(data_file.read())
else:
self.data = []
if not args.schema_only and not args.count:
self.run_elastalert(rule_yaml, conf, args)
if args.formatted_output:
print(json.dumps(self.formatted_output))
def run_rule_test(self):
"""
Uses args to run the various components of MockElastAlerter such as loading the file, saving data, loading data, and running.
"""
parser = argparse.ArgumentParser(description='Validate a rule configuration')
parser.add_argument('file', metavar='rule', type=str, help='rule configuration filename')
parser.add_argument('--schema-only', action='store_true', help='Show only schema errors; do not run query')
parser.add_argument('--days', type=int, default=0, action='store', help='Query the previous N days with this rule')
parser.add_argument('--start', dest='start', help='YYYY-MM-DDTHH:MM:SS Start querying from this timestamp.')
parser.add_argument('--end', dest='end', help='YYYY-MM-DDTHH:MM:SS Query to this timestamp. (Default: present) '
'Use "NOW" to start from current time. (Default: present)')
parser.add_argument('--stop-error', action='store_true', help='Stop the entire test right after the first error')
parser.add_argument('--formatted-output', action='store_true', help='Output results in formatted JSON')
parser.add_argument(
'--data',
type=str,
metavar='FILENAME',
action='store',
dest='json',
help='A JSON file containing data to run the rule against')
parser.add_argument('--alert', action='store_true', help='Use actual alerts instead of debug output')
parser.add_argument(
'--save-json',
type=str,
metavar='FILENAME',
action='store',
dest='save',
help='A file to which documents from the last day or --days will be saved')
parser.add_argument(
'--use-downloaded',
action='store_true',
dest='use_downloaded',
help='Use the downloaded '
)
parser.add_argument(
'--max-query-size',
type=int,
default=10000,
action='store',
dest='max_query_size',
help='Maximum size of any query')
parser.add_argument(
'--count-only',
action='store_true',
dest='count',
help='Only display the number of documents matching the filter')
parser.add_argument('--config', action='store', dest='config', help='Global config file.')
args = parser.parse_args()
rule_yaml = load_rule_yaml(args.file)
conf = self.load_conf(rule_yaml, args)
if args.json:
with open(args.json, 'r') as data_file:
self.data = json.loads(data_file.read())
else:
hits = self.test_file(copy.deepcopy(rule_yaml), args)
if hits and args.formatted_output:
self.formatted_output['results'] = json.loads(json.dumps(hits))
if hits and args.save:
with open(args.save, 'wb') as data_file:
# Add _id to _source for dump
[doc['_source'].update({'_id': doc['_id']}) for doc in hits]
data_file.write(json.dumps([doc['_source'] for doc in hits], indent=4))
if args.use_downloaded:
if hits:
args.json = args.save
with open(args.json, 'r') as data_file:
self.data = json.loads(data_file.read())
else:
self.data = []
if not args.schema_only and not args.count:
self.run_elastalert(rule_yaml, conf, args)
if args.formatted_output:
print(json.dumps(self.formatted_output))
