ElastAlert is a very nice package that can be installed on top of the ELK stack. It is a free replacement of the X Pack watcher product. The basic idea of the package is to use rules defined as yaml file in order to describe each alerting rule. You will find a nice introduction of the package possibilities here.
ElastAlert uses a few indexes that are stored in Elastic Search it self. The first step is to configure the elastic search configuration and then to create the required indexes.
Elasticsearch configuration is done by default via a config.yaml file that must be stored in the “elastalert” folder. (Same level as the elastalert.py file)
Elastalert is a python 2 software that requires a python interpreter. Installing a virtualenv environment will help a lot as well.
In order to get all the dependencies, navigate to the directory that has the requirements.txt and issue the following command:
pip install -r requirements.txt
Once the configuration done, the indexes can be created using the command:
If you are using an elastic version >= 6, you should end up with five new indexes starting with the prefix you chose in the config.yaml file (writeback_index).
You are basically ready to start. The next step is to specify your rule folder and add a rule inside using the example rules included in the project.
In order to start the software, use the following command:
Elast alert does not log that much by default. In order to debug it easily, you can launch it with the –verbose command.
python elastalert.py --verbose
Dockerizing Elast Alert
An easy way to dockerize elast alert is to simply copy the elastalert folder inside a container that has a python interpreter.
Create a Dockerfile as shown below:
FROM ubuntu:latest RUN apt-get update && apt-get upgrade -y RUN apt-get -y install build-essential python-setuptools python2.7 python2.7-dev libssl-dev git tox RUN easy_install pip WORKDIR /home/elastalert ADD requirements*.txt ./ RUN pip install -r requirements.txt ADD ./elastalert ./ RUN ls -l /home/elastalert CMD ["python", "elastalert.py"]
Run it will the following command:
docker build .
Once build tag your image and push it to your repository.
It is then possible to use it in a Docker Compose file as shown below (You can use my already packaged container if you want).
############################## elastalert: image: snuids/elastalert:v0.1.27d container_name: elastalert command: python elastalert.py --verbose environment: - TZ=Europe/Paris volumes: - "/home/local/elastalert/rules:/home/elastalert/rules" - "/home/local/elastalert/config.yaml:/home/elastalert/config.yaml" restart: always