Reputation: 13
How to do Real Time Alerting in ELK
We have ELK(+XPACK) for our network devices syslog server (source/destination IP and port). I'm trying to implement a real-time alerting system when source_ip field equals a specific IP address. How can i accomplish this with ELK?
I tried to do it with watcher, but it isn't real-time and low intervals may cause performance problems(?).
Note: log rate ~ 500 log per second.
Upvotes: 1
Views: 652
Answers (1)
Reputation: 3667
If watcher are not fast enough, then you need sth. what will fire at the moment of data incoming. Ingest pipelines can't execute external actions, but if you have Logstah in place, then clone (https://www.elastic.co/guide/en/logstash/current/plugins-filters-clone.html) the relevant event and issue an alert via email (https://www.elastic.co/guide/en/logstash/current/plugins-outputs-email.html) or whatever suits you.
Doing so, there will be the original event in elastic and the cloned one can be processed i a separate alert pipeline.
Upvotes: 2
Related Questions
- Alerting in Elastic Stack
- Send email through elastic when error comes in log
- Logstash use in kibana
- Alert/Notification using Kibana3?
- Logstash email alerts dynamically from multiple log files
- Any way to have kibana 4 send alerts or take action on specific conditions
- Run logstash on demand
- Email alert after threshold crossed, logstash?
- Correlate messages in ELK by field
- Any way to set alerts if logstash is not sending data