Alerting in Elastic Stack

Question

What is the best way to create alerts in ElasticSearch ? I would like to create alerts and get notified via mail if it crosses the threshold. I am using Elastic Stack 7.9.0

Answer 1

using the currently latest ELK version 8.8, I created Kibana alerts like this,

for example, heres an alert to send me a Slack notification if theres SSH abuse on a host (I have gold license, I think you need license for alerts to work)

go to Stack Management > Rules > create new rule (rule type = Elasticsearch Query)

using KQL or Lucene to define query,

select dataview = auditbeat-*

define your query = event.type: "authentication_failure"

WHEN count() OVER all documents IS ABOVE 2 FOR THE LAST 3 minutes

set the # of documents to send = 1

run the Test Query button to see if you have any hits, generate some test hits by trying to ssh as non-existent user to your host

for Actions create a Slack connector to some channel, run when Query is Matched

for Message, to get the values from the hits, can use like this,

SSH Abuse on {{ context.hits.0._source.host.name }}

{{ context.hits.0._source.message }}

which results in this slack message

SSH Abuse on host123
Failed login by user test1 (UID: -1) on ssh:notty (PID: 29080) from 172.31.13.145 (IP: 172.31.13.145)

Answer 2

For that kind of use case, the best way is to use the new Alerting framework that went GA with 7.11 and was released earlier this week (Feb 10th, 2021).

It is also available in 7.9 as it was first released in beta in 7.7. Try it out.

It is worth noting, though, that this feature is not available in the OSS version, but only with the Free Basic License onwards.