Skip to main content

How to install ElastAlert on Ubuntu

How to install ElastAlert with Elasticsearch on Ubuntu



What is ElastAlert?


ElastAlert is a simple framework that alerts when it detects anomalies, spikes, or other patterns of rules from data added in the Elasticsearch.


Pre Requirements

Tested on ubuntu 18



Elastalert Installation



apt update
apt install python3-pip
pip3 install elastalert
pip3 install PyYAML==5.1    
Elastalert 




Elasticsearch Installation

wget https://artifacts.elastic.co/downloads/elasticsearch/elasticsearch-7.2.0-x86_64.rpm
dpkg -i elasticsearch-7.2.0-amd64.deb

systemctl start elasticsearch
systemctl status elasticsearch

Elastalert Setup




create /root/emailalerts folder

Use further below files to create these files.

create /root/emailalerts/config.yaml
create /root/emailalerts/rules/auth.yaml
create /root/emailalerts/rules/nuwan_2mandata1.yaml


elastalert-create-index
enter   server: localhost
        port: 9200
        ssl: f
leave rest as it is and press enter to skip
NOTE: you may not get any prompt to insert a value as we have already created data on files.




Elastalert Configureations


  1. Auth.yaml is the file where sender email address information is stored. Set the user and password to access the email account.
  2. Nuwan_2mandata1.yaml is rule file we are using. Set email to the email address you want to send the alert.
  3. Nuwan_2mandata1.yaml has the query part where alert fileter mechanism happens.



Run


cd /root/emailalerts
python3 -m elastalert.elastalert --verbose --start 2019-09-04 --rule rules/nuwan_2mandata1.yaml --config config.yaml


keywords
--start 2019-09-04  >> start date of data to processed.



Test


Make sure administrator has created 4625 or 4624 events 2 times within an hour. Then you should be receiving alert to your receiver email account set.


Reference Files


config.yaml

rules_folder: /root/emailalerts/rules
run_every:
  minutes: 1
buffer_time:
  minutes: 15
es_host: localhost
es_port: 9200
writeback_index: elastalert_status
alert_time_limit:
  days: 2

.......................................................................................................................
auth.yaml

user: "nuwan.receive@gmail.com"
password: "password"

.......................................................................................................................
nuwan_2mandata1.yaml

es_host: localhost #elasticsearch.example.com
es_port: 9200 #14900
name: Nuwan rule
type: frequency
index: winlogbeat*
num_events: 2
timeframe:
    hours: 1
filter:
 - query:
      query_string:
        query: "(winlog.event_id: 4625 OR winlog.event_id: 4624) AND user.name: Administrator"
alert_text: |
       something happened at {0}.
       response: {1}
       message: {2}
alert_text_args: ["@timestamp", "tags", "message"]
alert_text_type: alert_text_only

alert:
- "email"
email:
- "nuwan.send@gmail.com"
smtp_host: "smtp.gmail.com"
smtp_port: "465"
smtp_ssl: true
from_addr: "nuwan.receive@gmail.com"
smtp_auth_file: "auth.yaml"





Testing on Test Server

cd emailalerts/ 
edit vi rules/nuwan_2mandata1.yaml 
replace nuwan.send@gmail.com with your email address 
run python3 -m elastalert.elastalert --verbose --start 2019-09-14 --rule rules/nuwan_2mandata1.yaml --config config.yaml 
you should see email alert in your mail box. start 2019-09-14 is the date from when you should start scanning

Comments

Post a Comment

Popular posts from this blog

Oracle Database 12c installation on Ubuntu 16.04

This article describes how to install Oracle 12c 64bit database on Ubuntu 16.04 64bit. Download software  Download the Oracle software from OTN or MOS or get a downloaded zip file. OTN: Oracle Database 12c Release 1 (12.1.0.2) Software (64-bit). edelivery: Oracle Database 12c Release 1 (12.1.0.2) Software (64-bit)   Unpacking  You should have following two files downloaded now. linuxamd64_12102_database_1of2.zip linuxamd64_12102_database_2of2.zip Unzip and copy them to \tmp\databases NOTE: you might have to merge two unzipped folders to create a single folder. Create new groups and users Open a terminal and execute following commands. you might need root permission. groupadd -g 502 oinstall groupadd -g 503 dba groupadd -g 504 oper groupadd -g 505 asmadmin Now create the oracle user useradd -u 502 -g oinstall -G dba,asmadmin,oper -s /bin/bash -m oracle You will prompt to set to password. set a momorable password and write it down. ...
9 comments
Read more

DBCA : No Protocol specified

when trying to execute dbca from linux terminal got this error message. now execute the command xhost, you probably receiving No protocol specified xhost:  unable to open display ":0" issue is your user is not allowed to access the x server. You can use xhost to limit access for X server for security reasons. probably you are logged in as oracle user. switch back to default user and execute xhost again. you should see something like SI:localuser:nuwan solution is adding the oracle to access control list xhost +SI:localuser:oracle now go back to oracle user and try dbca it should be working
2 comments
Read more

Slow CPU after resume / Ubuntu 16.04 LTS too slow after suspend and resume

you might experience a slow performance in ubuntu 16.04 after resuming back from a sleep or hibernate. reason for this is it doesn't move away from powersave mode automatically. intel_pstate driver is the one making this problem, so we have to disable it and use acpi-cpufreq  driver. first lets check weather your competer is on powersave.  cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor If your answer is powersave we have to move it to performance state. get your cpu info by cat /proc/cpuinfo | grep MHz  probabaly you seeing 4 cores lets update scaling governers     echo 'performance' > /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor     echo 'performance' > /sys/devices/system/cpu/cpu1/cpufreq/scaling_governor     echo 'performance' > /sys/devices/system/cpu/cpu2/cpufreq/scaling_governor     echo 'performance' > /sys/devices/system/cpu/cpu3/cpufreq/scaling_g...
Post a Comment
Read more