Open in app

Sign in

Write

Sign in

ElastAlert for first time and Configuration — Part 2

Prabhu Rajendran
Everything at Once
Published in
2 min readAug 15, 2019

Part 1 — Introduction to ElastAlert here!

Hope! we have done setup.. in case of any issues in set up please comment…

Setting Up Elastic Search for ElastAlert : — as already said “save its state to elasticsearch” — Yes! ElastAlert Save Information and meta data about it queries and alert back in elastic search (for auditing,debugging and too elastalert to resume where exactly it left of from previous state).

How do we set elastalert to elasticsearch?

Before jumping to this, make sure elastic search is running & kibana (if required) for interface.

Yass!, ElastAlert will create an index in elastic search to write.

How to create index in elastic search for elastalert?

After installation, to run execute this command to create it.

$elastalert-create-index

it will ask for which index name do we need ,host and port info.if need to recreate it ? $elastalert-create-index — recreate

For More you can check $elastalert-create-index — help

Sample : you can check example folder for more info,As already we have seen elastalert main configurations rule types and alerts.

Let see how to create a rule.

  1. Each Rule define a query to perform action in elasticsearch
  2. list of alerts

Above two points will be defined in rule. (sample rule file be like .yaml format)

es_host: 127.0.0.1
es_port: 9200

name: Log frequency rule
type: frequency
index: loginfo*
is_enabled: false

buffer_time:
  minutes: 1
run_every:
  minutes: 1

num_events: 30
timeframe:
  seconds: 30

alert:
- "email"
email:
- "prabhu@technogramsolutions.com"

Frequency rule type , hope from config will describe the info.

Config file for elastalert :(config.yaml) — global configurations.

rules_folder: alert_rules
run_every:
  seconds: 10
buffer_time:
  seconds: 10
es_host: localhost
es_port: 9200

writeback_index: elastalert_status
writeback_alias: elastalert_alerts

# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
  days: 0



smtp_host: 'smtp.gmail.com'
smtp_port: 465
smtp_ssl: true
verify_certs: false
smtp_auth_file: '/Users/prabhu/Documents/tgs-elasticstack/elastalert/alert_rules/smtp_auth_file'
from_addr: 'rajendranprabhu.r@gmail.com'

As you can see we can override some info in rule level as level.

Frequency Rule Description : index (loginfo) records to fetch 1 minutes record , num_events must be there minimum is 30 in time frame of 30 seconds and rule will be run in every 1 minute to alert that rule.

Hope clears in sample,in next part let see about each rule type with detail and how to create custom rule type and enhance data in next part.

In case of queries please feel free to comment if any issues!.

Thanks for the time.

Elasticsearch
Elastalert
Beginners Guide
Elastic Stack
Learner

--

--

Prabhu Rajendran
Everything at Once

Written by Prabhu Rajendran

1.4K Followers
Editor for

Technology Enthusiast.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams