To define rules for ElastAlert you can configure a list called
elastalerts in your inventory.
To deploy those rules to your log server, simply run
Below you'll find the details on how to configure the alerts that matter to your server farm and application.
The alert list in the inventory supports the following entries:
key: Unique key that makes for a file name, so don't use special characters.
name: Name of the rules which is used in alerts.
description: Describes the purpose of the rules.
type: The rules type, see Rule Types
alert: List of alert types, see Alert Types
alert_subject: Subject string to be used as email alert subject
alert_subject_args: list of strings that can be used as placeholders in the subject line
alert_text: Alert text for all alert channels
alert_text_args: list of strings that can be used as placeholders in the alert text
extra: a list of additional parameters for the rules that depend on the selected rules type, see Rule Config
Special case: Drupal monitoring¶
The monitoring for Drupal is pre-configured and watches the syslog, the Apache error log and the Apache access log. The queries have these default values:
To test the query in Kibana, you should prefix that query with
ident:drupal* AND and surround the query with brackets. Example:
Drupal Apache Log¶
Default query for errors:
Default query for access:
To test the query in Kibana, you should embed the two parts into
(@log_name:"apache.error.var.log.apache2.*-error.log" AND (ERROR-QUERY)) OR (@log_name:"apache.access.var.log.apache2.*-access.log" AND (ACCESS_QUERY)) and surround them with brackets each. Example: