HOWTO use Elastalert in development mode¶
Why do that¶
You have a complete punchpatform but you want to test simple alerting.
Prerequisites¶
In a standalone version, select "ElastAlert" while executiong install.sh (or directly : ./install.sh -s --with-elastalert).
What to do¶
Configuration¶
The Punchplatform standalone has default rules in elastalert channel located in tenant mytenant but you
may want to create your own.
To do that, create your new rule elastalert rules folder or create a new channel with similar implementation
Start Elastalert¶
This command starts all rules in elastalert rules folder :
punchplatform-elastalert.sh --config myconfig.yaml --start
You can also start a single rule by doing :
punchplatform-elastalert.sh --config myconfig.yaml --rule <my_rule> --start
Check what is happening¶
You can check logs :
tail -f $PUNCHPLATFORM_CONF_DIR/../logs/elastalert.log
Or check elastalert indices in Kibana
Debug a rule¶
First, check your rule syntax by doing :
punchplatform-elastalert.sh --config myconfig.yaml --test-rule <my_rule>
Then, if syntax is correct, in your .yaml rule file, update the “alert” key as follow:
...
alert:
- debug
...
Next, stop the ElastAlert daemon and run the process in foreground mode. Use Ctrl + C to stop it.
punchplatform-elastalert.sh --stop
stopping Elastalert...
punchplatform-elastalert.sh --config myconfig.yaml --start-foreground
create elastalert_status indice if necessary
starting Elastalert...
INFO:elastalert:Starting up
INFO:elastalert:Queried rule [RULE_NAME] from 2017-11-09 11:46 CET to 2017-11-09 11:48 CET: 1269 / 1269 hits
INFO:elastalert:Alert for [RULE_NAME] at 2017-11-09T10:46:58.646Z:
INFO:elastalert:[RULE_NAME]
...
- Elasticsearch:
curl -X GET 'localhost:9200/elastalert_status/elastalert/_search?pretty&q=alert_sent:true'
- Kibana with the elastalert_status index pattern and the following Lucene query:
_type:elastalert AND alert_sent:true