ElastAlert for first time and Configuration — Part 2
Part 1 — Introduction to ElastAlert here!
Hope! we have done setup.. in case of any issues in set up please comment…
Setting Up Elastic Search for ElastAlert : — as already said “save its state to elasticsearch” — Yes! ElastAlert Save Information and meta data about it queries and alert back in elastic search (for auditing,debugging and too elastalert to resume where exactly it left of from previous state).
How do we set elastalert to elasticsearch?
Before jumping to this, make sure elastic search is running & kibana (if required) for interface.
Yass!, ElastAlert will create an index in elastic search to write.
How to create index in elastic search for elastalert?
After installation, to run execute this command to create it.
$elastalert-create-index
it will ask for which index name do we need ,host and port info.if need to recreate it ? $elastalert-create-index — recreate
For More you can check $elastalert-create-index — help
Sample : you can check example folder for more info,As already we have seen elastalert main configurations rule types and alerts.
Let see how to create a rule.
- Each Rule define a query to perform action in elasticsearch
- list of alerts
Above two points will be defined in rule. (sample rule file be like .yaml format)
es_host: 127.0.0.1
es_port: 9200
name: Log frequency rule
type: frequency
index: loginfo*
is_enabled: false
buffer_time:
minutes: 1
run_every:
minutes: 1
num_events: 30
timeframe:
seconds: 30
alert:
- "email"
email:
- "prabhu@technogramsolutions.com"
Frequency rule type , hope from config will describe the info.
Config file for elastalert :(config.yaml) — global configurations.
rules_folder: alert_rules
run_every:
seconds: 10
buffer_time:
seconds: 10
es_host: localhost
es_port: 9200
writeback_index: elastalert_status
writeback_alias: elastalert_alerts
# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
days: 0
smtp_host: 'smtp.gmail.com'
smtp_port: 465
smtp_ssl: true
verify_certs: false
smtp_auth_file: '/Users/prabhu/Documents/tgs-elasticstack/elastalert/alert_rules/smtp_auth_file'
from_addr: 'rajendranprabhu.r@gmail.com'
As you can see we can override some info in rule level as level.
Frequency Rule Description : index (loginfo) records to fetch 1 minutes record , num_events must be there minimum is 30 in time frame of 30 seconds and rule will be run in every 1 minute to alert that rule.
Hope clears in sample,in next part let see about each rule type with detail and how to create custom rule type and enhance data in next part.
In case of queries please feel free to comment if any issues!.
Thanks for the time.