Praeco Walkthrough

Part 1 — Installation & rule creation

Welcome to the first of a series of articles meant to assist you in the setup and operation of praeco – a tool to interactively build alerts for your elasticsearch data by using elastalert.

First, download the latest version.

mkdir praeco && cd praeco
curl -L -o
unzip && rm

Then edit the file rules/BaseRule.config, adding your slack and smtp settings.

Now you can run praeco with docker[1], providing the IP address of your elasticsearch instance.

docker-compose up

[1] On Windows, use this invocation in powershell:

docker-compose.exe up

Praeco should now be available at http://localhost:8080

Welcome to praeco. To get started, click Rules → Add rule. You’ll be taken to a screen similar to the image above.

  1. Enter a name for your rule.
  2. For the index, the value will depend on your data. Our data is in the ms-* indices, so we use that. A dropdown list of suggestions based on your ES indices will appear when you click into this field. Choose one, or type in your own. You may use strftime format (%Y-%m-%d) here.
  3. If the time field in your data is stored as a Date, use Default. If stored as a timestamp, choose one of the other options.
  4. Choose which field in this index represents time. This depends on your data, but @timestamp is a common name.
  5. Select criteria for alerting here. There are many options beyond the scope of this article. For our example, we will use “count”.
  6. If you want your rule to be grouped based on a certain field, you can do that here. Counts will be stored separately for each value of this field. Think of this as creating a series of alerts, one for each different value of this field.
  7. This dropdown allows you to choose the data you are alerting against, using a series of filters. Select a field to filter on, then click “Add filter”. You can then enter a value to filter for and the type of match (contains/doesn’t contain/etc). Keep adding filters until you have the results you want to alert against. The exact filters you add depends on the type of data you want to be alerted on. For our example we have used the value “RT_FLOW_SESSION_DENY” in the field “message”.
  8. Here we select thresholds for alerting. For our example, we want to be alerted when there are more than 26,000 of these messages, so we enter that value in this dropdown.
  9. Counts of results are divided into time-based buckets, which are represented by the bars in the chart. Depending on the time frame you want to measure over, change this value.
  10. Some criteria have advanced options, which you can change here.
  11. Choose where to send your alert.
  12. The re-alert setting is important and should be understood before continuing. Essentially, this setting will silence an alert for a short time period after it fires, to prevent getting flooded with alerts. If set to 5 minutes, you will never receive more than one alert in a five minute period, no matter how many times an alert fires. Update this setting accordingly, depending on your needs.
  13. Enter a subject and body for your alert. You can type “%” followed by some characters to insert tokens into your alerts. Choose a field from the dropdown that appears. Now, when you get alerted, your tokens will be replaced by the content of that field from the event that triggered the alert.
  14. In the slack tab, enter a channel/username to post the alert to. You can use #channel names or @usernames.
  15. You can run a simulation of this alert over a specified time period by clicking this button. No actual alerts will be sent.

16. Once all fields are filled out, click the Save button.

You now have a new rule in praeco.

Rules start out disabled after creation, so click the Enable button to activate alerts.

After a few minutes, depending on your elastalert config, you should start seeing entries in the query log. This confirms that checks are happening.

If you don’t see any alerts in slack, check the alert log and see if the system attempted to send it. You can also check the error log (in the sidebar) and see if there are any messages in there.

If you have any problems, feel free to open a github issue with as much detail as possible.

If you would like to vote on new features, or suggest a new feature for others to vote on, visit our feedback board.