ElastAlert is a very nice package that can be installed on top of the ELK stack. It is a free replacement of the X Pack watcher product.  The basic idea of the package is to use rules defined as yaml file in order to describe each alerting rule. You will find a nice introduction of the package possibilities here.

Installing

ElastAlert uses a few indexes that are stored in Elastic Search it self. The first step is to configure the elastic search configuration and then to create the required indexes.

Elasticsearch configuration is done by default via a config.yaml file that must be stored in the “elastalert” folder. (Same level as the elastalert.py file)

Elastalert is a python 2 software that requires a python interpreter. Installing a virtualenv environment will help a lot as well.

In order to get all the dependencies, navigate to the directory that has the requirements.txt and issue the following command:

pip install -r requirements.txt

Screen Shot 2018-01-19 at 17.52.19.jpg

Once the configuration done, the indexes can be created using the command:

python create_index.py

If you are using an elastic version >= 6, you should end up with five new indexes starting with the prefix you chose in the config.yaml file (writeback_index).

You are basically ready to start. The next step is to specify your rule folder and add a rule inside using the example rules included in the project.

In order to start the software, use the following command:

python elastalert.py

Elast alert does not log that much by default. In order to debug it easily, you can launch it with the –verbose command.

python elastalert.py --verbose

Dockerizing Elast Alert

An easy way to dockerize elast alert is to simply copy the elastalert folder inside a container that has a python interpreter.

Create a Dockerfile as shown below:

FROM ubuntu:latest

RUN apt-get update && apt-get upgrade -y
RUN apt-get -y install build-essential python-setuptools python2.7 python2.7-dev libssl-dev git tox
RUN easy_install pip

WORKDIR /home/elastalert

ADD requirements*.txt ./
RUN pip install -r requirements.txt
ADD ./elastalert ./

RUN ls -l /home/elastalert

CMD ["python", "elastalert.py"]

Run it will the following command:

docker build .

Once build tag your image and push it to your repository.

It is then possible to use it in a Docker Compose file as shown below (You can use my already packaged container if you want).

##############################
  elastalert:
    image: snuids/elastalert:v0.1.27d
    container_name: elastalert
    command: python elastalert.py --verbose
    environment:
      - TZ=Europe/Paris
    volumes:
      - "/home/local/elastalert/rules:/home/elastalert/rules"
      - "/home/local/elastalert/config.yaml:/home/elastalert/config.yaml"
    restart: always