Skip to content

HOWTO use Elastalert in development mode

Why do that

You have a complete punchpatform but you want to test simple alerting.

Prerequisites

In a standalone version, select "ElastAlert" while executiong install.sh (or directly : ./install.sh -s --with-elastalert).

What to do

Configuration

The Punchplatform standalone has default rules in elastalert channel located in tenant mytenant but you may want to create your own. To do that, create your new rule elastalert rules folder or create a new channel with similar implementation

Start Elastalert

This command starts all rules in elastalert rules folder :

punchplatform-elastalert.sh --config myconfig.yaml --start

You can also start a single rule by doing :

punchplatform-elastalert.sh --config myconfig.yaml --rule <my_rule> --start 

Check what is happening

You can check logs :

tail -f $PUNCHPLATFORM_CONF_DIR/../logs/elastalert.log

Or check elastalert indices in Kibana

Debug a rule

First, check your rule syntax by doing :

punchplatform-elastalert.sh --config myconfig.yaml --test-rule <my_rule>

Then, if syntax is correct, in your .yaml rule file, update the “alert” key as follow:

...

alert:
    - debug
...

Next, stop the ElastAlert daemon and run the process in foreground mode. Use Ctrl + C to stop it.

punchplatform-elastalert.sh --stop
    stopping Elastalert...

punchplatform-elastalert.sh --config myconfig.yaml --start-foreground
    create elastalert_status indice if necessary
  starting Elastalert...
INFO:elastalert:Starting up
INFO:elastalert:Queried rule [RULE_NAME] from 2017-11-09 11:46 CET to 2017-11-09 11:48 CET: 1269 / 1269 hits
INFO:elastalert:Alert for [RULE_NAME] at 2017-11-09T10:46:58.646Z:
INFO:elastalert:[RULE_NAME]
...
Now, when an alert is sent, you will both be able to see it from your terminal and Elasticsearch. For Elasticsearch, your can easily find your alerts using these 2 options:

  • Elasticsearch:
curl -X GET 'localhost:9200/elastalert_status/elastalert/_search?pretty&q=alert_sent:true'
  • Kibana with the elastalert_status index pattern and the following Lucene query:
_type:elastalert AND alert_sent:true