• configurations

  • config.yaml - configurations file for elastalert
  • smtp_auth_file.yaml - authentication file for alerting via email
  • zdaemon.conf - configuration file for runneing elastalert as a daemon using zdaemon

• rules - contains sample configurations rules to alert on CPU, memory and disk usage

• requirements.txt - required python dependencies

• Elasticsearch

• ISO8601 or Unix timestamped data

• Python 2.7

If you're using Anaconda, do the following:

• Create a new conda environment: conda create --name <name> python=2.7 -y.

• Switch to the created environment: source activate <name>.

• Install pip in the same environment: conda install pip. This is needed because most of the Elasalert package dependencies are not present in the Continuum channels.

Refer https://goo.gl/7QUSo2 for details on sharing a Conda environment. <br/ >

• Execute pip install -r requirements.txt to install the dependencies.

• Finally, run pip install elastalert.

• Create an index for ElastAlert to write to by running elastalert-create-index and follow the input prompts.

• Clone the Elastalert repo: git clone https://github.com/yelp/elastalert.

• Navigate to the cloned repo and create config.yaml file with these settings:

rules_folder: alert_rules
run_every:
  seconds: 10
buffer_time:
  seconds: 10
#es_username: <username>
#es_password: <password>
es_host: localhost
es_port: 9200
alert_time_limit:
  days: 1

• Create a directory called alert_rules. Navigate to it and create your yaml rule files in the same folder.

• elastalert-test-rule alert_rules/<your_rule_name>.yaml.

• python -m elastalert.elastalert --verbose --rule <your_rule_name>.yaml.

• python -m elastalert.elastalert --verbose --config config.yaml

This will load all the rules present in the alert_rules directory.

• Install zdaemon: pip install zdaemon. (https://goo.gl/FCww8S)

• Create a zdaemon.conf file with these contents:

<runner>
  program python -m elastalert.elastalert --conf config.yaml
  socket-name /tmp/elastalert.zdsock
  forever true
</runner>

• To start Elastalert, execute: zdaemon -C zdaemon.conf start.

• To stop Elastalert, execute: zdaemon -C zdaemon.conf stop.

• Alerting via Email

  • In the yaml file of the specific rule, append the following:

    alert:
    - email
    email: 
    	- "<email-to-which-the-alert-will-be-sent>"
    smtp_host: "smtp.gmail.com" #for google email addresses
    smtp_port: 465 #for google email addresses
    smtp_ssl: true
    from_addr: "<email-from-which-the-alert-will-be-sent>"
    smtp_auth_file: "<name-of-the-authentication-file>.yaml"

  • Contents of the smtp_auth_file.yaml include user and password fields:

    user: "<email-address>"
    password: "<password>"

• Alerting via Slack

  • In the yaml file of the specific rule, append the following:

    alert:
     - slack
    slack_webhook_url: "<webhook-url-of-the-slack-channel>"
    slack_channel_override: "#<channel-name>"
    slack_username_override: "@<user-name>"