I tried to setup elastalert to run with my 7.1.1 installed ES but the ElastAlert keep telling me that it send amil to my adress but never reach my account. Can you please tell me with which ES version I can use alerting with ElastAlert?

Thanks!

Jun 03 '19 09:06 Djyamss

Where did you configure this to work with 7.1.1

Jun 06 '19 22:06 bbarclay

I am working on a ccentOS 7 server. I also tried with elastalert-0.2.0b2 but never been able since now to make it running. When I downgrade the ES, it gets in trouble being unable to communicate.

I need you to explain me exactly how I should proceed, what is the good way to make it running properly...

I need this to start deploying the ES.

Please help me step by step, I'm new in the opensource apps.

Jun 10 '19 20:06 Djyamss

Below is how I proceeded:

I configured both Elasticsearch and Kibana on the same server
Configured metricbeat and filebeat in two other machines (one windows server and my own PC)
Everything run properly in 7.1.1 version.
Configured elastalert in the same server with ES and Kibana. It run in --debug mode with some hits and some matchs value but not sending email aler. I'll put its config here

Jun 10 '19 20:06 Djyamss

This was the config.yaml file: `# This is the folder that contains the rule yaml files

Any .yaml file will be loaded as a rule

rules_folder: rules

How often ElastAlert will query Elasticsearch

The unit can be anything from weeks to seconds

run_every: minutes: 1

ElastAlert will buffer results from the most recent

period of time, in case some log sources are not in real time

buffer_time: minutes: 15

The Elasticsearch hostname for metadata writeback

Note that every rule can have its own Elasticsearch host

es_host: x.x.x.x

The Elasticsearch port

es_port: 9200

The index on es_host which is used for metadata storage

This can be a unmapped index, but it is recommended that you run

elastalert-create-index to set a mapping

writeback_index: elastalert_status

If an alert fails for some reason, ElastAlert will retry

sending the alert until this time period has elapsed

alert_time_limit: days: 0

`

Jun 11 '19 07:06 Djyamss

and here is the rule's config: `name: Metricbeat CPU Spike Rule #type: metric_aggregation

#es_host: localhost #es_port: 9200

index: metricbeat-*

buffer_time: hours: 1

metric_agg_key: system.cpu.user.pct metric_agg_type: avg query_key: beat.hostname #doc_type: metricsets

bucket_interval: minutes: 5

sync_bucket_interval: true #allow_buffer_time_overlap: true #use_run_every_query_size: true

min_threshold: 0.1 max_threshold: 0.8

filter:

term: metricset.name: cpu

(Required)

The alert is use when a match is found

alert:

"debug"
email email:
"[email protected]" `

Jun 11 '19 07:06 Djyamss

ES 7.1.1 runs with which ElastAlert version?

Any .yaml file will be loaded as a rule

How often ElastAlert will query Elasticsearch

The unit can be anything from weeks to seconds

ElastAlert will buffer results from the most recent

period of time, in case some log sources are not in real time

The Elasticsearch hostname for metadata writeback

Note that every rule can have its own Elasticsearch host

The Elasticsearch port

The index on es_host which is used for metadata storage

This can be a unmapped index, but it is recommended that you run

elastalert-create-index to set a mapping

If an alert fails for some reason, ElastAlert will retry

sending the alert until this time period has elapsed

(Required)

The alert is use when a match is found