Setting up ElastAlert
Although the setup guide for ElastAlert is already available on their website, I faced some challenges while setting it up on my machine. So here is a step by step guide with solutions to some errors I faced and you might too.
Requirements
- ISO8601 or Unix timestamped data
- Elasticsearch
- Python 3.6
Installations
If you’re here, you probably already have Elasticsearch installed on your system. If not, download it from here and follow these simple installation steps.
Pip is bundled with python>3.4 so it will be installed when you download the executable installer from here. To check successful installation, you can type pip -V
or pip --version
in cmd. ( Version on my machine for this setup -21.0.1)
There are two ways to install ElastAlert on your system —
- Using pip
pip install elastalert
OR
- Using git
git clone https://github.com/Yelp/elastalert.gitpip install -r requirements.txt
This will download all the required dependencies. There are chances pip isn’t able to install Blist and shows an error. So, here is what I did to fix the Blist installation error:
- Download Blist from here in elastalert directory. What’s mentioned after “cp” is the python version, so cp36 is the one compatible with python 3.6
pip install blist-1.3.6-cp36-cp36m-win_amd64.whl
(i.e. your blist whl file)
Once Blist is installed, run —
pip install "setuptools>=11.3"
python setup.py install
Now, depending on your elasticsearch version, install elasticsearch —
pip install "elasticsearch==7.0.0"
Configuration
Next, open config.yaml and configure it to work for your elasticsearch instance.
Save the file as config.yaml. THIS IS IMPORTANT. By default, this file comes as config.yaml.example and if left as is, it will cause an error in the next step i.e. while creating an index. (FileNotFoundError: [Errno 2] No such file or directory: ‘config.yaml’)
Creating an index
Keep your elasticsearch instance up and running.
Next, to create an index for ElastAlert to write to, run —
elastalert-create-index
and follow the input prompts. For example, specify a new index name(default is elastalert_status).
You can check the indices created by running http://localhost:9200/_cat/indices in your web browser.
Creating a rule
Go to example_rules/example_frequency.yaml in elastalert directory and make changes according to which alert type you would like to set up. I have added the configuration for email alert:
es_host: localhost
es_port: 9200
alert:
- "email"
email:
- "<email-to-which-the-alert-will-be-sent>"
Testing and running your rule
You can test your rule before running it through elastalert-test-rule
elastalert-test-rule --config <absolute path for config.yaml file > example_rules/example_frequency.yaml
Next, you can run it directly with python —
python -m elastalert.elastalert --verbose --rule example_frequency.yaml
Now, it’ll be up and running !
In case you face issues other than the ones mentioned, I’d appreciate that you mention them in the comments. You can also refer to the elastalert docs for a thorough study.
Thank you for reading!