Skip to content

manankalra/elastalert-tutorial

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Alerting with Elastalert


This will get you started with Alerting using Yelp's alternative to the alerting feature of X-Pack from Elastic.

Repository structure

  • configurations

    • config.yaml - configurations file for elastalert
    • smtp_auth_file.yaml - authentication file for alerting via email
    • zdaemon.conf - configuration file for runneing elastalert as a daemon using zdaemon
  • rules - contains sample configurations rules to alert on CPU, memory and disk usage

  • requirements.txt - required python dependencies


1. Requirements


  • Elasticsearch

  • ISO8601 or Unix timestamped data

  • Python 2.7


2. Installation


If you're using Anaconda, do the following:

  • Create a new conda environment: conda create --name <name> python=2.7 -y.

  • Switch to the created environment: source activate <name>.

  • Install pip in the same environment: conda install pip. This is needed because most of the Elasalert package dependencies are not present in the Continuum channels.

Refer https://goo.gl/7QUSo2 for details on sharing a Conda environment. <br/ >

Installing Elastalert

  • Execute pip install -r requirements.txt to install the dependencies.

  • Finally, run pip install elastalert.


3. Getting started


  • Create an index for ElastAlert to write to by running elastalert-create-index and follow the input prompts.

  • Clone the Elastalert repo: git clone https://github.com/yelp/elastalert.

  • Navigate to the cloned repo and create config.yaml file with these settings:

rules_folder: alert_rules
run_every:
  seconds: 10
buffer_time:
  seconds: 10
#es_username: <username>
#es_password: <password>
es_host: localhost
es_port: 9200
alert_time_limit:
  days: 1
  • Create a directory called alert_rules. Navigate to it and create your yaml rule files in the same folder.

4. Running Elastalert


Testing a rule

  • elastalert-test-rule alert_rules/<your_rule_name>.yaml.

Running a single rule

  • python -m elastalert.elastalert --verbose --rule <your_rule_name>.yaml.

Running multiple rules

  • python -m elastalert.elastalert --verbose --config config.yaml

This will load all the rules present in the alert_rules directory.

5. Running Elastalert as a daemon


  • Install zdaemon: pip install zdaemon. (https://goo.gl/FCww8S)

  • Create a zdaemon.conf file with these contents:

<runner>
  program python -m elastalert.elastalert --conf config.yaml
  socket-name /tmp/elastalert.zdsock
  forever true
</runner>
  • To start Elastalert, execute: zdaemon -C zdaemon.conf start.

  • To stop Elastalert, execute: zdaemon -C zdaemon.conf stop.


6. Additional configurations


  • Alerting via Email

    • In the yaml file of the specific rule, append the following:
      alert:
      - email
      email: 
      	- "<email-to-which-the-alert-will-be-sent>"
      smtp_host: "smtp.gmail.com" #for google email addresses
      smtp_port: 465 #for google email addresses
      smtp_ssl: true
      from_addr: "<email-from-which-the-alert-will-be-sent>"
      smtp_auth_file: "<name-of-the-authentication-file>.yaml"
    • Contents of the smtp_auth_file.yaml include user and password fields:
      user: "<email-address>"
      password: "<password>"

  • Alerting via Slack

    • In the yaml file of the specific rule, append the following:
      alert:
       - slack
      slack_webhook_url: "<webhook-url-of-the-slack-channel>"
      slack_channel_override: "#<channel-name>"
      slack_username_override: "@<user-name>"

License

MIT