3. Installing ElastAlert
ElastAlert is an alerting project for elasticsearch maintained by YELP on GitHub : https://github.com/Yelp/elastalert
While Opendistro alerting plugin is similar to Watcher and can use some complicated queries, ElastAlert is a much simpler and straight forward tool, specially with its multiple supported destinations where you can send your alerts. See documentation.
ElastAlert can be useful to build a first layer of logic where you can apply some complex monitoring set of rules using Opendistro alerting plugin afterwards. The necessity of this combination is something we will be discussing in 5.Alerting with ELK and 6.Building Detection Rules.
As root go to
/etc/
an then and clone the repository and install the required packages :$ git clone https://github.com/Yelp/elastalert.git
$ apt install python3.6 python-dev libffi-dev libssl-dev python3-pip python-pip
$ pip3 install -r /etc/elastalert/requirements.txt
vi /etc/elastalert/config.yaml
rules_folder: rules
run_every:
minutes: 1
buffer_time:
minutes: 15
es_host: localhost
es_port: 9200
use_ssl: True
verify_certs: False
es_username: admin
es_password: admin
writeback_index: elastalert_status
writeback_alias: elastalert_alerts
alert_time_limit:
days: 2
Make sure the
rules
folder exists in the repository$ cd /etc/elastalert/
$ python3 setup.py install
Check if the installation is successful then run the following command to create the
elastalert
index at elasticsearch
level./etc/elastalert$ elastalert-create-index
You should see the created indices in Kibana as so:

Creation of ElastAlert Indices
In order to start elastalert as a service please create the file below by pasting the following lines as shown in these snippets of code:
$ vi /lib/systemd/system/elastalert.service
[Unit]
Description=elastalert
After=multi-user.target
[Service]
Type=simple
WorkingDirectory=/etc/elastalert
ExecStart=/usr/local/bin/elastalert --config /etc/elastalert/config.yaml --verbose
StandardOutput=syslog
StandardError=syslog
KillSignal=SIGKILL
PIDFile=/var/run/elastalert.pid
[Install]
WantedBy=multi-user.target
$ ln -s /lib/systemd/system/elastalert.service /etc/systemd/system/elastalert.service
$ systemctl daemon-reload
$ systemctl enable elastalert.service
$ systemctl start elastalert.service
$ systemctl status elastalert.service
Elastalert should be up an running.