Command Line Flags
ElastAlert 2 accepts several optional command line parameters:
--config
will specify the configuration file to use. The default is
config.yaml
.
--debug
will run ElastAlert 2 in debug mode. This will increase the logging
verboseness, change all alerts to DebugAlerter
, which prints alerts and
suppresses their normal action, and skips writing search and alert metadata back
to Elasticsearch. Not compatible with –verbose.
--end <timestamp>
will force ElastAlert 2 to stop querying after the given
time, instead of the default, querying to the present time. This really only
makes sense when running standalone. The timestamp is formatted as
YYYY-MM-DDTHH:MM:SS
(UTC) or with timezone YYYY-MM-DDTHH:MM:SS-XX:00
(UTC-XX).
--es_debug
will enable logging for all queries made to Elasticsearch.
--es_debug_trace <trace.log>
will enable logging curl commands for all
queries made to Elasticsearch to the specified log file. --es_debug_trace
is
passed through to elasticsearch.py which
logs localhost:9200 instead of the actual es_host
:es_port
.
--pin_rules
will stop ElastAlert 2 from loading, reloading or removing rules
based on changes to their config files.
--prometheus_port
exposes ElastAlert 2 Prometheus metrics on the specified
port. Prometheus metrics disabled by default.
--rule <rule.yaml>
will only run the given rule. The rule file may be a
complete file path or a filename in rules_folder
or its subdirectories.
--silence <unit>=<number>
will silence the alerts for a given rule for a
period of time. The rule must be specified using --rule
. <unit> is one of
days, weeks, hours, minutes or seconds. <number> is an integer. For example,
--rule noisy_rule.yaml --silence hours=4
will stop noisy_rule from
generating any alerts for 4 hours.
--silence_qk_value <value
will silence the rule only for the given
query key value. This parameter is intended to be used with the --rule
parameter.
--start <timestamp>
will force ElastAlert 2 to begin querying from the given
time, instead of the default, querying from the present. The timestamp should be
ISO8601, e.g. YYYY-MM-DDTHH:MM:SS
(UTC) or with timezone
YYYY-MM-DDTHH:MM:SS-08:00
(PST). Note that if querying over a large date
range, no alerts will be sent until that rule has finished querying over the
entire time period. To force querying from the current time, use “NOW”.
--verbose
will increase the logging verboseness, which allows you to see
information about the state of queries. Not compatible with –debug.