3. Installing ElastAlert

Why using two alerting modules?

While Opendistro alerting plugin is similar to Watcher and can use some complicated queries, ElastAlert is a much simpler and straight forward tool, specially with its multiple supported destinations where you can send your alerts. See documentation.

ElastAlert can be useful to build a first layer of logic where you can apply some complex monitoring set of rules using Opendistro alerting plugin afterwards. The necessity of this combination is something we will be discussing in 5.Alerting with ELK and 6.Building Detection Rules.

Installing ElastAlert

Cloning from repository

As root go to /etc/ an then and clone the repository and install the required packages :

$ git clone https://github.com/Yelp/elastalert.git
$ apt install python3.6 python-dev libffi-dev libssl-dev python3-pip python-pip

Install requirements

$ pip3 install -r /etc/elastalert/requirements.txt

Modify Configuration File

vi /etc/elastalert/config.yaml

rules_folder: rules
run_every:
  minutes: 1
buffer_time:
  minutes: 15
es_host: localhost
es_port: 9200
use_ssl: True
verify_certs: False
es_username: admin
es_password: admin
writeback_index: elastalert_status
writeback_alias: elastalert_alerts
alert_time_limit:
  days: 2

Setup ElastAlert

Check if the installation is successful then run the following command to create the elastalertindex at elasticsearch level.

You should see the created indices in Kibana as so:

Running ElastAlert as a service

In order to start elastalert as a service please create the file below by pasting the following lines as shown in these snippets of code:

Elastalert should be up an running.