π This writeup is part of “Elasticsearch Deploy Docs” series
Elastalert
π Official docs π Official project Repo
Elastalert is developed by Yelp written in python, queries docs in elasticsearch and send alerts depends on the rules.
Since Elastalert is not part of Elasticsearch plugin, we can install it where ever we want to.
Installation
β Refer elasticsearch-deploy-notes/elastalert for example config
$ sudo apt-get install python3-pip
$ sudo pip3 install elastalert
$ sudo pip3 install -U PyYAML
$ mkdir -p /opt/elastalert/rules
## Copy alert rules yaml files and config file to /opt/elastalert and /opt/elastalert/rules accordingly from this repo
- Recommended to create index in elasticsearch for elastalert to store metadata
$ elastalert-create-index
Elastic Version: 7.7.0
Reading Elastic 6 index mappings:
Reading index mapping 'es_mappings/6/silence.json'
Reading index mapping 'es_mappings/6/elastalert_status.json'
Reading index mapping 'es_mappings/6/elastalert.json'
Reading index mapping 'es_mappings/6/past_elastalert.json'
Reading index mapping 'es_mappings/6/elastalert_error.json'
New index elastalert_status created
Done!
- Test rules in case if it is needed
$ elastalert-test-rule --config /opt/elastalert/config.yaml /opt/elastalert/rules/heartbeat_checks.yml
Postfix Gmail SMTP
In oder to use Gmail as SMTP, you need to enable 2-Factor authentication and generate app password
- First configure 2-Factor Authentication at google accounts security
- Generate app passwords at app password generation
- Click Select app and choose Other (custom name) from the dropdown. Enter βPostfixβ and click Generate.
- Copy App Password
- Install Postfix package
sudo apt-get -y install postfix mailutils libsasl2-2 ca-certificates libsasl2-modules
While postfix package install, it will prompt for configuration, default options/configs are sufficient i.e don’t have to change anything
Add below config in
/etc/postfix/main.cf
relayhost = [smtp.gmail.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs
smtp_use_tls = yes
- Add email and app password in
/etc/postfix/sasl_passwd
[smtp.gmail.com]:587 xxxxx@yourdomain.de:xxx xxxxx xxxxx xxxxx
- Start daemon
sudo chmod 400 /etc/postfix/sasl_passwd
sudo postmap /etc/postfix/sasl_passwd
sudo systemctl restart postfix
- Test it
echo "Testing" | mail -s "Test Email" soap@gmail.com
sudo postqueue -p
Daemonize the Elastalert
We will use supervisord to run ElastAlert.
- Install supervisord
$ sudo pip3 install supervisord
- Review supervisor config and copy
$ ls /etc/supervisordconf
/etc/supervisord.conf
- Enable and start the deamon
root@s-root-odoo03 ~ # supervisorctl
supervisor> add elastalert
supervisor> start elastalert
supervisor> exit