ElasticSearch Alerts¶
To define rules for ElastAlert you can configure a list called elastalerts in your inventory.
To deploy those rules to your log server, simply run ascr elastalert-rules.
Below you'll find the details on how to configure the alerts that matter to your server farm and application.
External Sources¶
Inventory Format¶
The alert list in the inventory supports the following entries:
key: Unique key that makes for a file name, so don't use special characters.name: Name of the rules which is used in alerts.description: Describes the purpose of the rules.type: The rules type, see Rule Typesalert: List of alert types, see Alert Types- Optional:
alert_subject: Subject string to be used as email alert subjectalert_subject_args: list of strings that can be used as placeholders in the subject linealert_text: Alert text for all alert channelsalert_text_args: list of strings that can be used as placeholders in the alert textextra: a list of additional parameters for the rules that depend on the selected rules type, see Rule Config
Special case: Drupal monitoring¶
The monitoring for Drupal is pre-configured and watches the syslog, the Apache error log and the Apache access log. The queries have these default values:
Drupal Syslog¶
1 | |
To test the query in Kibana, you should prefix that query with ident:drupal* AND and surround the query with brackets. Example:
1 | |
Drupal Apache Log¶
Default query for errors:
1 | |
Default query for access:
1 | |
To test the query in Kibana, you should embed the two parts into (@log_name:"apache.error.var.log.apache2.*-error.log" AND (ERROR-QUERY)) OR (@log_name:"apache.access.var.log.apache2.*-access.log" AND (ACCESS_QUERY)) and surround them with brackets each. Example:
1 | |