Skip to content

ElasticSearch Alerts

To define rules for ElastAlert you can configure a list called elastalerts in your inventory.

To deploy those rules to your log server, simply run ascr elastalert-rules.

Below you'll find the details on how to configure the alerts that matter to your server farm and application.

External Sources

Inventory Format

The alert list in the inventory supports the following entries:

  • key: Unique key that makes for a file name, so don't use special characters.
  • name: Name of the rules which is used in alerts.
  • description: Describes the purpose of the rules.
  • type: The rules type, see Rule Types
  • alert: List of alert types, see Alert Types
  • Optional:
  • alert_subject: Subject string to be used as email alert subject
  • alert_subject_args: list of strings that can be used as placeholders in the subject line
  • alert_text: Alert text for all alert channels
  • alert_text_args: list of strings that can be used as placeholders in the alert text
  • extra: a list of additional parameters for the rules that depend on the selected rules type, see Rule Config

Special case: Drupal monitoring

The monitoring for Drupal is pre-configured and watches the syslog, the Apache error log and the Apache access log. The queries have these default values:

Drupal Syslog

1
@log_name:"syslog.local0.err" OR @log_name:"syslog.local0.crit" OR @log_name:"syslog.local0.alert" OR @log_name:"syslog.local0.emerg"

To test the query in Kibana, you should prefix that query with ident:drupal* AND and surround the query with brackets. Example:

1
ident:drupal* AND (@log_name:"syslog.local0.err" OR @log_name:"syslog.local0.crit" OR @log_name:"syslog.local0.alert" OR @log_name:"syslog.local0.emerg")

Drupal Apache Log

Default query for errors:

1
level:"*error"

Default query for access:

1
code:[500 TO 599]

To test the query in Kibana, you should embed the two parts into (@log_name:"apache.error.var.log.apache2.*-error.log" AND (ERROR-QUERY)) OR (@log_name:"apache.access.var.log.apache2.*-access.log" AND (ACCESS_QUERY)) and surround them with brackets each. Example:

1
(@log_name:"apache.error.var.log.apache2.*-error.log" AND (level:"*error")) OR (@log_name:"apache.access.var.log.apache2.*-access.log" AND (code:[500 TO 599]))

Last update: January 12, 2021 18:06:10