ElastAlert Configuration for n00bs — Part 2

Read Part 1 Here

How do we set elastalert to elasticsearch?

Before jumping to this, make sure elastic search is running & kibana (if required) for interface.

Yass!, ElastAlert will create an index in elastic search to write.

How to create index in elastic search for elastalert?

After installation, to run execute this command to create it.

$elastalert-create-index

it will ask for which index name do we need ,host and port info.if need to recreate it ? $elastalert-create-index — recreate

For More you can check $elastalert-create-index — help

Sample : you can check example folder for more info,As already we have seen
elastalert main configurations rule types and alerts.

Let see how to create a rule.

Each Rule define a query to perform action in elasticsearchlist of alerts

Above two points will be defined in rule. (sample rule file be like .yaml format).

Frequency rule type , hope from config will describe the info.

Config file for elastalert :(config.yaml) — global configurations.

As you can see we can override some info in rule level as level.

Frequency Rule Description : index (loginfo) records to fetch 1 minutes record , num_events must be there minimum is 30 in time frame of 30 seconds and rule will be run in every 1 minute to alert that rule.

In the next part we'll see each rule type in detail
and how to create custom rule type and enhance data in next part.

In case of queries please feel free to comment if any issues!.

Thanks for reading