Browse the Repo
Browse the Repo
Deploy a self-hosted Elasticsearch cluster. Supports automatic bootstrap, zero-downtime rolling deployment, auto healing, backup, and recovery.
This folder contains a script for configuring and running ElastAlert on an AWS server. This script has been tested on the following operating systems:
There is a good chance it will work on other flavors of Debian, CentOS, and RHEL as well.
ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch. Note that it's not an Elasticsearch plugin, just a Python service that connects to the ElasticSearch API. However, there is a separate ElastAlert Kibana Plugin that exposes ElastAlert functionality in Kibana.
The key idea is that you define an Elasticsearch query as part of a rule, which is of some rule type that specifies when that query should trigger an alert, which is of some alert type.
For example, you might use the
frequency rule type ("Match where there are at least X events in Y time") to define a rule that triggers an alert of type
Slack so that a Slack message appears when the rule is triggered.
This script depends on bash-commons, so you must install that project first as documented in its README.
config.yaml file in
/opt/elastalert/config/config.yaml and make sure the
rules_folder property specifies the folder that contains all the ElastAlert rule definitions.
Review the example rules. As a quick start, use the
sns alert type by making sure the example rule contains the following and no other
alert: - "sns" aws_region: "fill-this-in" sns_topic_arn: "fill-this-in"
Now start ElastAlert by executing the
run-elastalsert script as follows:
/opt/elastalert/bin/run-elastalert --config /opt/elastalert/config/config.yaml
This will begin querying data in Elasticsearch starting from right this moment.
Finally, send some data into the Elasticsearch cluster and confirm that you've received an email (TODO: How best to send data to cluster?)
run-elastalsert --help to see all available arguments, or just check out the run-elastalert source code.
X-Pack is a full-featured, commercial plugin maintained by elastic.co that includes the following features:
By contrast, Elastalert is limited to alerting and notifications. We chose Elastalert over X-Package because, as an alerting plugin, Elastalert compares favorably to X-Pack, and it's open source. However, if you require other features of X-Pack, you may prefer to use X-Pack for alerting and notifications as well.
We're here to talk about our services, answer any questions, give advice, or just to chat.