elastalert-telegram.yaml

# Alert when a login event is detected for user "admin" never before seen IP
# In this example, "login" logs contain which user has logged in from what IP

# (Optional)
# Elasticsearch host
es_host: localhost

# (Optional)
# Elasticsearch port
es_port: 9200

# (OptionaL) Connect with SSL to Elasticsearch
#use_ssl: True

# (Optional) basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword

# (Required)
# Rule name, must be unique
name: openvpn_term_rule

# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
type: any

# (Required)
# Index to search, wildcard supported
index: example-*

# (Required, new_term specific)
# Monitor the field ip_address
#fields:
# - "_id"

# (Optional, new_term specific)
# This means that we will query 90 days worth of data when ElastAlert starts to find which values of ip_address already exist
# If they existed in the last 90 days, no alerts will be triggered for them when they appear
#terms_window_size:
#  days: 1

# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
# We are filtering for only "login_event" type documents with username "admin"
filter:
- query:
    query_string:
        query: "type: access"

# (Required)
# The alert is use when a match is found
alert:
- "telegram"

alert_text: "from elastalert - {0}, {1}, {2}"
alert_text_args: ["type", "username2", "timestamp"]
alert_text_type: alert_text_only

# from botfather
telegram_bot_token: bot_token
# Unique identifier for the target chat or username of the target channel (in the format @channelusername)
# https://api.telegram.org/bot_token/getUpdates
telegram_room_id: "chat_id"