How to Install and Configure ElastAlert on Ubuntu for Real‑Time Alerts

ElastAlert is an alerting framework written in Python 2 by Yelp, currently supporting Python 2.6 and 2.7 (not 3.x). Its source code is available at https://github.com/Yelp/elastalert .

Environment

Ubuntu 16.10 (kernel 4.8.0-37-generic) Elasticsearch 5.2.0 Logstash 5.2.0 Kibana 5.2.0

Dependencies

See the official requirements page:

http://elastalert.readthedocs.io/en/latest/running_elastalert.html#requirements

Elasticsearch ISO8601 or Unix‑timestamped data Python 2.6 or 2.7 pip (see requirements.txt )

Install ElastAlert

Before installing, check the Python version with python --version:

Download the latest ElastAlert and install its modules:

After installation, four ElastAlert commands appear under /usr/local/bin/:

Set Elasticsearch Index

Refer to the "setting‑up‑elasticsearch" documentation:

https://elastalert.readthedocs.io/en/latest/running_elastalert.html#setting-up-elasticsearch

Run elastalert-create-index to create the index (recommended but optional). The default index name is elastalert_status:

For details about the generated metadata, see the "ElastAlert Metadata Index" documentation:

https://elastalert.readthedocs.io/en/latest/elastalert_status.html#metadata

Configure Configuration Files and Rules

For rule creation details, see the "creating‑a‑rule" guide:

https://elastalert.readthedocs.io/en/latest/running_elastalert.html#creating-a-rule

Test Rules

Refer to the "Testing Your Rule" documentation:

Testing Your Rule

Configuration details are in the "commonconfig" file:

commonconfig

Run ElastAlert

{"_index":"logstash-2017.02.14","_type":"test","_id":"AVo6oVCnFreCcJPhQqgX","_version":1,"result":"created","shards":{"total":2,"successful":1,"failed":0},"created":true}

@timestamp values are in UTC; convert to Beijing time (UTC+8) by subtracting eight hours (e.g., 2017‑02‑14 11:21:50 Beijing = 2017‑02‑14 03:21:50 UTC).

Alert Example