elastalert
elastalert copied to clipboard
bitsensor
elastalert-server: Server: Stopping server
I'm trying to set up the ElasAlert server but it gives the following error:
08:31:10.877Z INFO elastalert-server:
ProcessController: Elastic Version:6
Mapping used for string:{'type': 'keyword'}
Index elastalert_status already exists. Skipping index creation.
08:31:10.877Z INFO elastalert-server: ProcessController: Index create exited with code 0
08:31:10.878Z INFO elastalert-server: ProcessController: Starting elastalert with arguments [none]
08:31:10.886Z INFO elastalert-server: ProcessController: Started Elastalert (PID: 47)
08:31:10.887Z INFO elastalert-server: Server: Server listening on port 3030
08:31:10.888Z INFO elastalert-server: Server: Websocket listening on port 3333
08:31:10.889Z INFO elastalert-server: Server: Server started
08:31:11.734Z ERROR elastalert-server:
ProcessController: Traceback (most recent call last):
File "/usr/lib/python2.7/runpy.py", line 174, in _run_module_as_main
08:31:11.734Z ERROR elastalert-server:
ProcessController: "__main__", fname, loader, pkg_name)
File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
exec code in run_globals
File "/opt/elastalert/elastalert/elastalert.py", line 1929, in <module>
sys.exit(main(sys.argv[1:]))
File "/opt/elastalert/elastalert/elastalert.py", line 1925, in main
08:31:11.735Z ERROR elastalert-server:
ProcessController: client.start()
File "/opt/elastalert/elastalert/elastalert.py", line 1106, in start
self.run_all_rules()
File "/opt/elastalert/elastalert/elastalert.py", line 1158, in run_all_rules
08:31:11.735Z ERROR elastalert-server:
ProcessController: self.send_pending_alerts()
File "/opt/elastalert/elastalert/elastalert.py", line 1534, in send_pending_alerts
08:31:11.736Z ERROR elastalert-server:
ProcessController: pending_alerts = self.find_recent_pending_alerts(self.alert_time_limit)
File "/opt/elastalert/elastalert/elastalert.py", line 1526, in find_recent_pending_alerts
08:31:11.736Z ERROR elastalert-server:
ProcessController: size=1000)
File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.1-py2.7.egg/elasticsearch/client/utils.py", line 84, in _wrapped
return func(*args, params=params, **kwargs)
TypeError: search() got an unexpected keyword argument 'doc_type'
08:31:11.775Z ERROR elastalert-server: ProcessController: ElastAlert exited with code 1
08:31:11.776Z INFO elastalert-server: Server: Stopping server
08:31:11.776Z INFO elastalert-server: ProcessController: ElastAlert is not running
08:31:11.776Z INFO elastalert-server: Server: Server stopped. Bye!
I'm seeing the same thing. Here's the error I get when I launch Elastalert for the first time. I'm running elasticsearch 7.4.2.
20:31:54.358Z ERROR elastalert-server:,
ProcessController: Traceback (most recent call last):,
File "/usr/lib/python2.7/runpy.py", line 174, in _run_module_as_main,
"__main__", fname, loader, pkg_name),
File "/usr/lib/python2.7/runpy.py", line 72, in _run_code,
exec code in run_globals,
File "/opt/elastalert/elastalert/create_index.py", line 275, in <module>,
main(),
File "/opt/elastalert/elastalert/create_index.py", line 252, in main,
es.indices.put_mapping(index=index, doc_type='elastalert', body=es_mapping),
File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.1-py2.7.egg/elasticsearch/client/utils.py", line 84, in _wrapped,
return func(*args, params=params, **kwargs),
File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.1-py2.7.egg/elasticsearch/client/indices.py", line 339, in put_mapping,
"PUT", _make_path(index, "_mapping", doc_type), params=params, body=body,
File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.1-py2.7.egg/elasticsearch/transport.py", line 353, in perform_request,
timeout=timeout,,
File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.1-py2.7.egg/elasticsearch/connection/http_requests.py", line 143, in perform_request,
self._raise_error(response.status_code, raw_data),
File "/usr/lib/python2.7/site-packages/elasticsearch-7.0.1-py2.7.egg/elasticsearch/connection/base.py", line 168, in _raise_error,
status_code, error_message, additional_info,
elasticsearch.exceptions.RequestError: RequestError(400, u'illegal_argument_exception', u'Types cannot be provided in put mapping requests, unless the include_type_name parameter is set to true.'),
I have the same error when launching ElastAlert. I'm running ElasticSearch 5.4.0.
Share how to get it working
elastic_search_status.sh, elastalert-start.sh, ElastAlert will start after Elasticsearch becomes connectable.
Elasticsearch 7.4.2 Kibana 7.4.2 kibana-elastalert-plugin bitsensor/elastalert:3.0.0-beta.0
/home/user/docker-wk
|--docker-compose.yml
|--Dockerfiles
| |--Dockerfile-elastalert
| |--Dockerfile-kibana
|
|--es
| |--config
| | |--elasticsearch.yml
| |--data
|
|--kibana
| |--config
| | |--kibana.yml
|
|--elastalert
| |--bin
| | |--elastalert-start.sh
| | |--elastic_search_status.sh
| |--config
| | |--config.json
| | |--elastalert-test.yaml
| | |--elastalert.yaml
| |--rule_templates
| |--rules
docker-compose.yml
version: "3.7"
services:
elasticsearch:
container_name: elasticsearch
image: docker.elastic.co/elasticsearch/elasticsearch:7.4.2
ports:
- 9200:9200
- 9300:9300
environment:
- ES_JAVA_OPTS=-Xms128m -Xmx256m
- discovery.type=single-node
restart: always
volumes:
- ./es/data:/usr/share/elasticsearch/data
- ./es/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml
healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost:9200 || exit 1"]
interval: 30s
timeout: 15s
retries: 3
start_period: 180s
kibana:
container_name: kibana
build:
context: .
dockerfile: Dockerfiles/Dockerfile-kibana
image: kibana:7.4.2
ports:
- 5601:5601
depends_on:
- elasticsearch
restart: always
volumes:
- ./kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml
healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost:5601/api/status || exit 1"]
interval: 30s
timeout: 15s
retries: 3
start_period: 200s
elastalert:
container_name: elastalert
build:
context: .
dockerfile: Dockerfiles/Dockerfile-elastalert
image: elastalert:3.0.0-beta.0
ports:
- 3030:3030
- 3333:3333
depends_on:
- elasticsearch
- kibana
restart: always
volumes:
- ./elastalert/config/elastalert.yaml:/opt/elastalert/config.yaml
- ./elastalert/config/elastalert-test.yaml:/opt/elastalert/config-test.yaml
- ./elastalert/config/config.json:/opt/elastalert-server/config/config.json
- ./elastalert/rules:/opt/elastalert/rules
- ./elastalert/rule_templates:/opt/elastalert/rule_templates
healthcheck:
test: ["CMD-SHELL", "curl -f http://localhost:3030 || exit 1"]
interval: 30s
timeout: 15s
retries: 3
start_period: 200s
es/config/elasticsearch.yml
cluster.name: "docker-cluster"
network.host: 0.0.0.0
discovery.zen.minimum_master_nodes: 1
kibana/config/kibana.yml
server.name: kibana
server.host: "0"
elasticsearch.hosts: http://elasticsearch:9200
xpack.monitoring.ui.container.elasticsearch.enabled: true
# elastalert-kibana-plugin
elastalert-kibana-plugin.serverHost: elastalert
elastalert-kibana-plugin.serverPort: 3030
Dockerfiles/Dockerfile-kibana
FROM docker.elastic.co/kibana/kibana:7.4.2
USER root
RUN /usr/share/kibana/bin/kibana-plugin install https://github.com/bitsensor/elastalert-kibana-plugin/releases/download/1.1.0/elastalert-kibana-plugin-1.1.0-7.4.2.zip --allow-root
USER kibana
Dockerfiles/Dockerfile-elastalert
FROM bitsensor/elastalert:3.0.0-beta.0
USER root
RUN apk update && \
apk add bash curl && \
rm -rf /var/cache/apk/*
ADD elastalert/bin/elastalert-start.sh /usr/local/bin/
ADD elastalert/bin/elastic_search_status.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/elastalert-start.sh
RUN chmod +x /usr/local/bin/elastic_search_status.sh
USER node
ENTRYPOINT ["/usr/local/bin/elastalert-start.sh"]
elastalert/bin/elastic_search_status.sh
#!/bin/bash
set -e
if [ $# -gt 0 ]; then
ES_URL="$1"
elif [[ -n $ELASTICSEARCH_URL ]]; then
ES_URL="$ELASTICSEARCH_URL"
elif [[ -n $ES_HOST ]] && [[ -n $ES_PORT ]]; then
ES_URL="http://$ES_HOST:$ES_PORT"
else
ES_URL="http://elasticsearch:9200"
fi
until [[ "$(curl -fsSL "$ES_URL/_cat/health?h=status" | sed -r 's/^[[:space:]]+|[[:space:]]+$//g')" =~ ^(yellow|green)$ ]]; do
# printf '+' >&2
sleep 1
done
echo "Elasticsearch is up and healthy at "$ES_URL"" >&2
elastalert/bin/elastalert-start.sh
#!/bin/bash
set -e
echo "Giving Elasticsearch at $ELASTICSEARCH_URL time to start..."
elastic_search_status.sh
echo "Starting ElastAlert!"
npm start
es/config/elasticsearch.yml
elastalert/config/config.json
{
"appName": "elastalert-server",
"port": 3030,
"wsport": 3333,
"elastalertPath": "/opt/elastalert",
"verbose": false,
"es_debug": false,
"debug": false,
"rulesPath": {
"relative": true,
"path": "/rules"
},
"templatesPath": {
"relative": true,
"path": "/rule_templates"
},
"es_host": "elasticsearch",
"es_port": 9200,
"writeback_index": "elastalert_status"
}
elastalert/config/elastalert-test.yml
# NOTE: This config is used when testing a rule
# The elasticsearch hostname for metadata writeback
# Note that every rule can have its own elasticsearch host
es_host: elasticsearch
# The elasticsearch port
es_port: 9200
# This is the folder that contains the rule yaml files
# Any .yaml file will be loaded as a rule
rules_folder: rules
# How often ElastAlert will query elasticsearch
# The unit can be anything from weeks to seconds
run_every:
seconds: 5
# ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time
buffer_time:
minutes: 1
# Optional URL prefix for elasticsearch
#es_url_prefix: elasticsearch
# Connect with TLS to elasticsearch
#use_ssl: True
# Verify TLS certificates
#verify_certs: True
# GET request with body is the default option for Elasticsearch.
# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
# for details
#es_send_get_body_as: GET
# Option basic-auth username and password for elasticsearch
#es_username: someusername
#es_password: somepassword
# The index on es_host which is used for metadata storage
# This can be a unmapped index, but it is recommended that you run
# elastalert-create-index to set a mapping
writeback_index: elastalert_status
# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
days: 2
elastalert/config/elastalert.yml
# The elasticsearch hostname for metadata writeback
# Note that every rule can have its own elasticsearch host
es_host: elasticsearch
# The elasticsearch port
es_port: 9200
# This is the folder that contains the rule yaml files
# Any .yaml file will be loaded as a rule
rules_folder: rules
# How often ElastAlert will query elasticsearch
# The unit can be anything from weeks to seconds
run_every:
seconds: 5
# ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time
buffer_time:
minutes: 1
# Optional URL prefix for elasticsearch
#es_url_prefix: elasticsearch
# Connect with TLS to elasticsearch
#use_ssl: True
# Verify TLS certificates
#verify_certs: True
# GET request with body is the default option for Elasticsearch.
# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
# for details
#es_send_get_body_as: GET
# Option basic-auth username and password for elasticsearch
#es_username: someusername
#es_password: somepassword
# The index on es_host which is used for metadata storage
# This can be a unmapped index, but it is recommended that you run
# elastalert-create-index to set a mapping
writeback_index: elastalert_status
# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
days: 2
chmod 777 es/data
chmod 777 elastalert/rules
chmod 777 elastalert/rule_templates
docker-compose up -d
[CORP\sano@a-ngft53r34ong docker-wk]$ docker logs elastalert -f
Giving Elasticsearch at time to start...
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
curl: (7) Failed to connect to elasticsearch port 9200: Connection refused
Elasticsearch is up and healthy at http://elasticsearch:9200
Starting ElastAlert!
> @bitsensor/[email protected] start /opt/elastalert-server
> sh ./scripts/start.sh
14:45:00.311Z INFO elastalert-server: Config: No config.dev.json file was found in /opt/elastalert-server/config/config.dev.json.
14:45:00.320Z INFO elastalert-server: Config: Proceeding to look for normal config file.
14:45:00.370Z INFO elastalert-server: Config: A config file was found in /opt/elastalert-server/config/config.json. Using that config.
14:45:00.431Z INFO elastalert-server: Router: Listening for GET request on /.
14:45:00.432Z INFO elastalert-server: Router: Listening for GET request on /status.
14:45:00.433Z INFO elastalert-server: Router: Listening for GET request on /status/control/:action.
14:45:00.434Z INFO elastalert-server: Router: Listening for GET request on /status/errors.
14:45:00.434Z INFO elastalert-server: Router: Listening for GET request on /rules.
14:45:00.439Z INFO elastalert-server: Router: Listening for GET request on /rules/:id.
14:45:00.440Z INFO elastalert-server: Router: Listening for POST request on /rules/:id.
14:45:00.441Z INFO elastalert-server: Router: Listening for DELETE request on /rules/:id.
14:45:00.442Z INFO elastalert-server: Router: Listening for GET request on /templates.
14:45:00.442Z INFO elastalert-server: Router: Listening for GET request on /templates/:id.
14:45:00.443Z INFO elastalert-server: Router: Listening for POST request on /templates/:id.
14:45:00.444Z INFO elastalert-server: Router: Listening for DELETE request on /templates/:id.
14:45:00.445Z INFO elastalert-server: Router: Listening for POST request on /test.
14:45:00.446Z INFO elastalert-server: Router: Listening for GET request on /config.
14:45:00.446Z INFO elastalert-server: Router: Listening for POST request on /config.
14:45:00.447Z INFO elastalert-server: Router: Listening for POST request on /download.
14:45:00.448Z INFO elastalert-server: Router: Listening for GET request on /metadata/:type.
14:45:00.449Z INFO elastalert-server: Router: Listening for GET request on /mapping/:index.
14:45:00.449Z INFO elastalert-server: Router: Listening for POST request on /search/:index.
14:45:00.454Z INFO elastalert-server: ProcessController: Starting ElastAlert
14:45:00.454Z INFO elastalert-server: ProcessController: Creating index
14:45:06.677Z INFO elastalert-server:
ProcessController: Elastic Version: 7.4.2
Reading Elastic 6 index mappings:
Reading index mapping 'es_mappings/6/silence.json'
Reading index mapping 'es_mappings/6/elastalert_status.json'
Reading index mapping 'es_mappings/6/elastalert.json'
Reading index mapping 'es_mappings/6/past_elastalert.json'
Reading index mapping 'es_mappings/6/elastalert_error.json'
New index elastalert_status created
Done!
14:45:06.677Z INFO elastalert-server: ProcessController: Index create exited with code 0
14:45:06.677Z INFO elastalert-server: ProcessController: Starting elastalert with arguments [none]
14:45:06.689Z INFO elastalert-server: ProcessController: Started Elastalert (PID: 215)
14:45:06.694Z INFO elastalert-server: Server: Server listening on port 3030
14:45:06.695Z INFO elastalert-server: Server: Websocket listening on port 3333
14:45:06.696Z INFO elastalert-server: Server: Server started
14:45:08.640Z INFO elastalert-server:
ProcessController: 0 rules loaded
14:45:24.774Z INFO elastalert-server: Routes: Successfully handled GET request for '/'.
14:45:55.364Z INFO elastalert-server: Routes: Successfully handled GET request for '/'.
14:46:25.876Z INFO elastalert-server: Routes: Successfully handled GET request for '/'.
14:46:56.393Z INFO elastalert-server: Routes: Successfully handled GET request for '/'.
14:47:26.901Z INFO elastalert-server: Routes: Successfully handled GET request for '/'.
14:47:57.316Z INFO elastalert-server: Routes: Successfully handled GET request for '/'.
14:48:27.759Z INFO elastalert-server: Routes: Successfully handled GET request for '/'.
^C
[CORP\sano@a-ngft53r34ong docker-wk]$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f7b1f2624b4f elastalert:3.0.0-beta.0 "/usr/local/bin/elas…" 4 minutes ago Up 4 minutes (healthy) 0.0.0.0:3030->3030/tcp, 0.0.0.0:3333->3333/tcp elastalert
5959a6777f42 kibana:7.4.2 "/usr/local/bin/dumb…" 4 minutes ago Up 4 minutes (healthy) 0.0.0.0:5601->5601/tcp kibana
112613b8f089 docker.elastic.co/elasticsearch/elasticsearch:7.4.2 "/usr/local/bin/dock…" 4 minutes ago Up 4 minutes (healthy) 0.0.0.0:9200->9200/tcp, 0.0.0.0:9300->9300/tcp elasticsearch
@nsano-rururu thanks for the answer It's working fine. Can you please guide me on how to raise an email alert from a kibana dashboard. I mean in a vertical bar graph if the value of a vertical bar exceeds a threshold value then we need to trigger an alert. Here is the sample frequency rule that I have tried from the elastalert-kibana-plugin and received a mail to specified in the rule
name: A quick demo of email alert type: frequency index: filebeat-* num_events: 3 timeframe: hours: 1 filter:
- term: process.name: "filebeat" alert:
- "email" email:
- "[email protected]"
@nsano-rururu I am using elastalert kibana plugin in kabana for raising alerts to email. I have created a kibana dashboard in which there is a panel consisting of a vertical bar graph reference image Now in that image, if anyone of the bar values exceeds 3 then I have t raise an alert to the email. I want to use that dashboard for raising the alerts based on the required filters as mentioned above. Can you help me out how to write a rule for raising the alert.
Share how to get it working
elastic_search_status.sh, elastalert-start.sh, ElastAlert will start after Elasticsearch becomes connectable.
Elasticsearch 7.4.2 Kibana 7.4.2 kibana-elastalert-plugin bitsensor/elastalert:3.0.0-beta.0
/home/user/docker-wk |--docker-compose.yml |--Dockerfiles | |--Dockerfile-elastalert | |--Dockerfile-kibana | |--es | |--config | | |--elasticsearch.yml | |--data | |--kibana | |--config | | |--kibana.yml | |--elastalert | |--bin | | |--elastalert-start.sh | | |--elastic_search_status.sh | |--config | | |--config.json | | |--elastalert-test.yaml | | |--elastalert.yaml | |--rule_templates | |--rulesdocker-compose.yml
version: "3.7" services: elasticsearch: container_name: elasticsearch image: docker.elastic.co/elasticsearch/elasticsearch:7.4.2 ports: - 9200:9200 - 9300:9300 environment: - ES_JAVA_OPTS=-Xms128m -Xmx256m - discovery.type=single-node restart: always volumes: - ./es/data:/usr/share/elasticsearch/data - ./es/config/elasticsearch.yml:/usr/share/elasticsearch/config/elasticsearch.yml healthcheck: test: ["CMD-SHELL", "curl -f http://localhost:9200 || exit 1"] interval: 30s timeout: 15s retries: 3 start_period: 180s kibana: container_name: kibana build: context: . dockerfile: Dockerfiles/Dockerfile-kibana image: kibana:7.4.2 ports: - 5601:5601 depends_on: - elasticsearch restart: always volumes: - ./kibana/config/kibana.yml:/usr/share/kibana/config/kibana.yml healthcheck: test: ["CMD-SHELL", "curl -f http://localhost:5601/api/status || exit 1"] interval: 30s timeout: 15s retries: 3 start_period: 200s elastalert: container_name: elastalert build: context: . dockerfile: Dockerfiles/Dockerfile-elastalert image: elastalert:3.0.0-beta.0 ports: - 3030:3030 - 3333:3333 depends_on: - elasticsearch - kibana restart: always volumes: - ./elastalert/config/elastalert.yaml:/opt/elastalert/config.yaml - ./elastalert/config/elastalert-test.yaml:/opt/elastalert/config-test.yaml - ./elastalert/config/config.json:/opt/elastalert-server/config/config.json - ./elastalert/rules:/opt/elastalert/rules - ./elastalert/rule_templates:/opt/elastalert/rule_templates healthcheck: test: ["CMD-SHELL", "curl -f http://localhost:3030 || exit 1"] interval: 30s timeout: 15s retries: 3 start_period: 200ses/config/elasticsearch.yml
cluster.name: "docker-cluster" network.host: 0.0.0.0 discovery.zen.minimum_master_nodes: 1kibana/config/kibana.yml
server.name: kibana server.host: "0" elasticsearch.hosts: http://elasticsearch:9200 xpack.monitoring.ui.container.elasticsearch.enabled: true # elastalert-kibana-plugin elastalert-kibana-plugin.serverHost: elastalert elastalert-kibana-plugin.serverPort: 3030Dockerfiles/Dockerfile-kibana
FROM docker.elastic.co/kibana/kibana:7.4.2 USER root RUN /usr/share/kibana/bin/kibana-plugin install https://github.com/bitsensor/elastalert-kibana-plugin/releases/download/1.1.0/elastalert-kibana-plugin-1.1.0-7.4.2.zip --allow-root USER kibanaDockerfiles/Dockerfile-elastalert
FROM bitsensor/elastalert:3.0.0-beta.0 USER root RUN apk update && \ apk add bash curl && \ rm -rf /var/cache/apk/* ADD elastalert/bin/elastalert-start.sh /usr/local/bin/ ADD elastalert/bin/elastic_search_status.sh /usr/local/bin/ RUN chmod +x /usr/local/bin/elastalert-start.sh RUN chmod +x /usr/local/bin/elastic_search_status.sh USER node ENTRYPOINT ["/usr/local/bin/elastalert-start.sh"]elastalert/bin/elastic_search_status.sh
#!/bin/bash set -e if [ $# -gt 0 ]; then ES_URL="$1" elif [[ -n $ELASTICSEARCH_URL ]]; then ES_URL="$ELASTICSEARCH_URL" elif [[ -n $ES_HOST ]] && [[ -n $ES_PORT ]]; then ES_URL="http://$ES_HOST:$ES_PORT" else ES_URL="http://elasticsearch:9200" fi until [[ "$(curl -fsSL "$ES_URL/_cat/health?h=status" | sed -r 's/^[[:space:]]+|[[:space:]]+$//g')" =~ ^(yellow|green)$ ]]; do # printf '+' >&2 sleep 1 done echo "Elasticsearch is up and healthy at "$ES_URL"" >&2elastalert/bin/elastalert-start.sh
#!/bin/bash set -e echo "Giving Elasticsearch at $ELASTICSEARCH_URL time to start..." elastic_search_status.sh echo "Starting ElastAlert!" npm start es/config/elasticsearch.ymlelastalert/config/config.json
{ "appName": "elastalert-server", "port": 3030, "wsport": 3333, "elastalertPath": "/opt/elastalert", "verbose": false, "es_debug": false, "debug": false, "rulesPath": { "relative": true, "path": "/rules" }, "templatesPath": { "relative": true, "path": "/rule_templates" }, "es_host": "elasticsearch", "es_port": 9200, "writeback_index": "elastalert_status" }elastalert/config/elastalert-test.yml
# NOTE: This config is used when testing a rule # The elasticsearch hostname for metadata writeback # Note that every rule can have its own elasticsearch host es_host: elasticsearch # The elasticsearch port es_port: 9200 # This is the folder that contains the rule yaml files # Any .yaml file will be loaded as a rule rules_folder: rules # How often ElastAlert will query elasticsearch # The unit can be anything from weeks to seconds run_every: seconds: 5 # ElastAlert will buffer results from the most recent # period of time, in case some log sources are not in real time buffer_time: minutes: 1 # Optional URL prefix for elasticsearch #es_url_prefix: elasticsearch # Connect with TLS to elasticsearch #use_ssl: True # Verify TLS certificates #verify_certs: True # GET request with body is the default option for Elasticsearch. # If it fails for some reason, you can pass 'GET', 'POST' or 'source'. # See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport # for details #es_send_get_body_as: GET # Option basic-auth username and password for elasticsearch #es_username: someusername #es_password: somepassword # The index on es_host which is used for metadata storage # This can be a unmapped index, but it is recommended that you run # elastalert-create-index to set a mapping writeback_index: elastalert_status # If an alert fails for some reason, ElastAlert will retry # sending the alert until this time period has elapsed alert_time_limit: days: 2elastalert/config/elastalert.yml
# The elasticsearch hostname for metadata writeback # Note that every rule can have its own elasticsearch host es_host: elasticsearch # The elasticsearch port es_port: 9200 # This is the folder that contains the rule yaml files # Any .yaml file will be loaded as a rule rules_folder: rules # How often ElastAlert will query elasticsearch # The unit can be anything from weeks to seconds run_every: seconds: 5 # ElastAlert will buffer results from the most recent # period of time, in case some log sources are not in real time buffer_time: minutes: 1 # Optional URL prefix for elasticsearch #es_url_prefix: elasticsearch # Connect with TLS to elasticsearch #use_ssl: True # Verify TLS certificates #verify_certs: True # GET request with body is the default option for Elasticsearch. # If it fails for some reason, you can pass 'GET', 'POST' or 'source'. # See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport # for details #es_send_get_body_as: GET # Option basic-auth username and password for elasticsearch #es_username: someusername #es_password: somepassword # The index on es_host which is used for metadata storage # This can be a unmapped index, but it is recommended that you run # elastalert-create-index to set a mapping writeback_index: elastalert_status # If an alert fails for some reason, ElastAlert will retry # sending the alert until this time period has elapsed alert_time_limit: days: 2chmod 777 es/data chmod 777 elastalert/rules chmod 777 elastalert/rule_templates docker-compose up -d[CORP\sano@a-ngft53r34ong docker-wk]$ docker logs elastalert -f Giving Elasticsearch at time to start... curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused curl: (7) Failed to connect to elasticsearch port 9200: Connection refused Elasticsearch is up and healthy at http://elasticsearch:9200 Starting ElastAlert! > @bitsensor/[email protected] start /opt/elastalert-server > sh ./scripts/start.sh 14:45:00.311Z INFO elastalert-server: Config: No config.dev.json file was found in /opt/elastalert-server/config/config.dev.json. 14:45:00.320Z INFO elastalert-server: Config: Proceeding to look for normal config file. 14:45:00.370Z INFO elastalert-server: Config: A config file was found in /opt/elastalert-server/config/config.json. Using that config. 14:45:00.431Z INFO elastalert-server: Router: Listening for GET request on /. 14:45:00.432Z INFO elastalert-server: Router: Listening for GET request on /status. 14:45:00.433Z INFO elastalert-server: Router: Listening for GET request on /status/control/:action. 14:45:00.434Z INFO elastalert-server: Router: Listening for GET request on /status/errors. 14:45:00.434Z INFO elastalert-server: Router: Listening for GET request on /rules. 14:45:00.439Z INFO elastalert-server: Router: Listening for GET request on /rules/:id. 14:45:00.440Z INFO elastalert-server: Router: Listening for POST request on /rules/:id. 14:45:00.441Z INFO elastalert-server: Router: Listening for DELETE request on /rules/:id. 14:45:00.442Z INFO elastalert-server: Router: Listening for GET request on /templates. 14:45:00.442Z INFO elastalert-server: Router: Listening for GET request on /templates/:id. 14:45:00.443Z INFO elastalert-server: Router: Listening for POST request on /templates/:id. 14:45:00.444Z INFO elastalert-server: Router: Listening for DELETE request on /templates/:id. 14:45:00.445Z INFO elastalert-server: Router: Listening for POST request on /test. 14:45:00.446Z INFO elastalert-server: Router: Listening for GET request on /config. 14:45:00.446Z INFO elastalert-server: Router: Listening for POST request on /config. 14:45:00.447Z INFO elastalert-server: Router: Listening for POST request on /download. 14:45:00.448Z INFO elastalert-server: Router: Listening for GET request on /metadata/:type. 14:45:00.449Z INFO elastalert-server: Router: Listening for GET request on /mapping/:index. 14:45:00.449Z INFO elastalert-server: Router: Listening for POST request on /search/:index. 14:45:00.454Z INFO elastalert-server: ProcessController: Starting ElastAlert 14:45:00.454Z INFO elastalert-server: ProcessController: Creating index 14:45:06.677Z INFO elastalert-server: ProcessController: Elastic Version: 7.4.2 Reading Elastic 6 index mappings: Reading index mapping 'es_mappings/6/silence.json' Reading index mapping 'es_mappings/6/elastalert_status.json' Reading index mapping 'es_mappings/6/elastalert.json' Reading index mapping 'es_mappings/6/past_elastalert.json' Reading index mapping 'es_mappings/6/elastalert_error.json' New index elastalert_status created Done! 14:45:06.677Z INFO elastalert-server: ProcessController: Index create exited with code 0 14:45:06.677Z INFO elastalert-server: ProcessController: Starting elastalert with arguments [none] 14:45:06.689Z INFO elastalert-server: ProcessController: Started Elastalert (PID: 215) 14:45:06.694Z INFO elastalert-server: Server: Server listening on port 3030 14:45:06.695Z INFO elastalert-server: Server: Websocket listening on port 3333 14:45:06.696Z INFO elastalert-server: Server: Server started 14:45:08.640Z INFO elastalert-server: ProcessController: 0 rules loaded 14:45:24.774Z INFO elastalert-server: Routes: Successfully handled GET request for '/'. 14:45:55.364Z INFO elastalert-server: Routes: Successfully handled GET request for '/'. 14:46:25.876Z INFO elastalert-server: Routes: Successfully handled GET request for '/'. 14:46:56.393Z INFO elastalert-server: Routes: Successfully handled GET request for '/'. 14:47:26.901Z INFO elastalert-server: Routes: Successfully handled GET request for '/'. 14:47:57.316Z INFO elastalert-server: Routes: Successfully handled GET request for '/'. 14:48:27.759Z INFO elastalert-server: Routes: Successfully handled GET request for '/'. ^C [CORP\sano@a-ngft53r34ong docker-wk]$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f7b1f2624b4f elastalert:3.0.0-beta.0 "/usr/local/bin/elas…" 4 minutes ago Up 4 minutes (healthy) 0.0.0.0:3030->3030/tcp, 0.0.0.0:3333->3333/tcp elastalert 5959a6777f42 kibana:7.4.2 "/usr/local/bin/dumb…" 4 minutes ago Up 4 minutes (healthy) 0.0.0.0:5601->5601/tcp kibana 112613b8f089 docker.elastic.co/elasticsearch/elasticsearch:7.4.2 "/usr/local/bin/dock…" 4 minutes ago Up 4 minutes (healthy) 0.0.0.0:9200->9200/tcp, 0.0.0.0:9300->9300/tcp elasticsearch
It works. Thank you.
There's a small error in the name of elastalert.yml and elastalert-test.yml which is elastalert.yaml and elastalert-test.yaml.