Links

3. Installing ElastAlert

ElastAlert is an alerting project for elasticsearch maintained by YELP on GitHub : https://github.com/Yelp/elastalert

Why using two alerting modules?

While Opendistro alerting plugin is similar to Watcher and can use some complicated queries, ElastAlert is a much simpler and straight forward tool, specially with its multiple supported destinations where you can send your alerts. See documentation.
ElastAlert can be useful to build a first layer of logic where you can apply some complex monitoring set of rules using Opendistro alerting plugin afterwards. The necessity of this combination is something we will be discussing in 5.Alerting with ELK and 6.Building Detection Rules.

Installing ElastAlert

Cloning from repository

As root go to /etc/ an then and clone the repository and install the required packages :
$ git clone https://github.com/Yelp/elastalert.git
$ apt install python3.6 python-dev libffi-dev libssl-dev python3-pip python-pip

Install requirements

$ pip3 install -r /etc/elastalert/requirements.txt

Modify Configuration File

vi /etc/elastalert/config.yaml
rules_folder: rules
run_every:
minutes: 1
buffer_time:
minutes: 15
es_host: localhost
es_port: 9200
use_ssl: True
verify_certs: False
es_username: admin
es_password: admin
writeback_index: elastalert_status
writeback_alias: elastalert_alerts
alert_time_limit:
days: 2
Make sure the rulesfolder exists in the repository

Setup ElastAlert

$ cd /etc/elastalert/
$ python3 setup.py install
Check if the installation is successful then run the following command to create the elastalertindex at elasticsearch level.
/etc/elastalert$ elastalert-create-index
You should see the created indices in Kibana as so:
Creation of ElastAlert Indices

Running ElastAlert as a service

In order to start elastalert as a service please create the file below by pasting the following lines as shown in these snippets of code:
$ vi /lib/systemd/system/elastalert.service
[Unit]
Description=elastalert
After=multi-user.target
​
[Service]
Type=simple
WorkingDirectory=/etc/elastalert
ExecStart=/usr/local/bin/elastalert --config /etc/elastalert/config.yaml --verbose
StandardOutput=syslog
StandardError=syslog
KillSignal=SIGKILL
PIDFile=/var/run/elastalert.pid
​
[Install]
WantedBy=multi-user.target
$ ln -s /lib/systemd/system/elastalert.service /etc/systemd/system/elastalert.service
$ systemctl daemon-reload
$ systemctl enable elastalert.service
$ systemctl start elastalert.service
$ systemctl status elastalert.service
​
Elastalert should be up an running.