3. Installing ElastAlert
ElastAlert is an alerting project for elasticsearch maintained by YELP on GitHub : https://github.com/Yelp/elastalert

Why using two alerting modules?

While Opendistro alerting plugin is similar to Watcher and can use some complicated queries, ElastAlert is a much simpler and straight forward tool, specially with its multiple supported destinations where you can send your alerts. See documentation.
ElastAlert can be useful to build a first layer of logic where you can apply some complex monitoring set of rules using Opendistro alerting plugin afterwards. The necessity of this combination is something we will be discussing in 5.Alerting with ELK and 6.Building Detection Rules.

Installing ElastAlert

Cloning from repository

As root go to /etc/ an then and clone the repository and install the required packages :
1
$ git clone https://github.com/Yelp/elastalert.git
2
$ apt install python3.6 python-dev libffi-dev libssl-dev python3-pip python-pip
Copied!

Install requirements

1
$ pip3 install -r /etc/elastalert/requirements.txt
Copied!

Modify Configuration File

1
vi /etc/elastalert/config.yaml
Copied!
1
rules_folder: rules
2
run_every:
3
minutes: 1
4
buffer_time:
5
minutes: 15
6
es_host: localhost
7
es_port: 9200
8
use_ssl: True
9
verify_certs: False
10
es_username: admin
11
es_password: admin
12
writeback_index: elastalert_status
13
writeback_alias: elastalert_alerts
14
alert_time_limit:
15
days: 2
Copied!
Make sure the rulesfolder exists in the repository

Setup ElastAlert

1
$ cd /etc/elastalert/
2
$ python3 setup.py install
Copied!
Check if the installation is successful then run the following command to create the elastalertindex at elasticsearch level.
1
/etc/elastalert$ elastalert-create-index
Copied!
You should see the created indices in Kibana as so:
Creation of ElastAlert Indices

Running ElastAlert as a service

In order to start elastalert as a service please create the file below by pasting the following lines as shown in these snippets of code:
1
$ vi /lib/systemd/system/elastalert.service
Copied!
1
[Unit]
2
Description=elastalert
3
After=multi-user.target
4
​
5
[Service]
6
Type=simple
7
WorkingDirectory=/etc/elastalert
8
ExecStart=/usr/local/bin/elastalert --config /etc/elastalert/config.yaml --verbose
9
StandardOutput=syslog
10
StandardError=syslog
11
KillSignal=SIGKILL
12
PIDFile=/var/run/elastalert.pid
13
​
14
[Install]
15
WantedBy=multi-user.target
Copied!
1
$ ln -s /lib/systemd/system/elastalert.service /etc/systemd/system/elastalert.service
2
$ systemctl daemon-reload
3
$ systemctl enable elastalert.service
4
$ systemctl start elastalert.service
5
$ systemctl status elastalert.service
6
​
Copied!
Elastalert should be up an running.
Last modified 9mo ago