Setting up ElastAlert

Himani Raghav
3 min readApr 27, 2021

--

Photo by Carlos Muza on Unsplash

Although the setup guide for ElastAlert is already available on their website, I faced some challenges while setting it up on my machine. So here is a step by step guide with solutions to some errors I faced and you might too.

Requirements

  • ISO8601 or Unix timestamped data
  • Elasticsearch
  • Python 3.6

Installations

If you’re here, you probably already have Elasticsearch installed on your system. If not, download it from here and follow these simple installation steps.

Pip is bundled with python>3.4 so it will be installed when you download the executable installer from here. To check successful installation, you can type pip -V or pip --version in cmd. ( Version on my machine for this setup -21.0.1)

There are two ways to install ElastAlert on your system —

  • Using pip
pip install elastalert

OR

  • Using git
git clone https://github.com/Yelp/elastalert.gitpip install -r requirements.txt

This will download all the required dependencies. There are chances pip isn’t able to install Blist and shows an error. So, here is what I did to fix the Blist installation error:

  1. Download Blist from here in elastalert directory. What’s mentioned after “cp” is the python version, so cp36 is the one compatible with python 3.6
  2. pip install blist-1.3.6-cp36-cp36m-win_amd64.whl (i.e. your blist whl file)

Once Blist is installed, run —

pip install "setuptools>=11.3"
python setup.py install

Now, depending on your elasticsearch version, install elasticsearch —

pip install "elasticsearch==7.0.0"

Configuration

Next, open config.yaml and configure it to work for your elasticsearch instance.

configuration when elasticsearch is running on http://localhost:9200/

Save the file as config.yaml. THIS IS IMPORTANT. By default, this file comes as config.yaml.example and if left as is, it will cause an error in the next step i.e. while creating an index. (FileNotFoundError: [Errno 2] No such file or directory: ‘config.yaml’)

Creating an index

Keep your elasticsearch instance up and running.

Next, to create an index for ElastAlert to write to, run —

elastalert-create-index

and follow the input prompts. For example, specify a new index name(default is elastalert_status).

You can check the indices created by running http://localhost:9200/_cat/indices in your web browser.

Creating a rule

Go to example_rules/example_frequency.yaml in elastalert directory and make changes according to which alert type you would like to set up. I have added the configuration for email alert:

es_host: localhost
es_port: 9200
alert:
- "email"
email:
- "<email-to-which-the-alert-will-be-sent>"

Testing and running your rule

You can test your rule before running it through elastalert-test-rule

elastalert-test-rule --config <absolute path for config.yaml file > example_rules/example_frequency.yaml

Next, you can run it directly with python —

python -m elastalert.elastalert --verbose --rule example_frequency.yaml

Now, it’ll be up and running !

In case you face issues other than the ones mentioned, I’d appreciate that you mention them in the comments. You can also refer to the elastalert docs for a thorough study.

Thank you for reading!

--

--

Himani Raghav

Currently working on the ELK stack. Enthusiastic about psychology and spiritual science.