Public | Automated Build

Last pushed: 4 days ago
Short Description
Elastalert on Alpine Linux.
Full Description

Elastalert Docker Image

Docker image with Elastalert on Alpine Linux.

Requires a link to a Docker container running Elasticsearch using the "elasticsearchhost" alias.
Assumes the use of port 9200 when communicating with Elasticsearch.<br/>
In order for the time of the container to be synchronized (ntpd), it must be run with the SYS_TIME capability.
In addition you may want to add the SYS_NICE capability, in order for ntpd to be able to modify its priority.

If Elasticsearch requires authentication, then the two environment variables listed below must contain user and password.
In addition, the Elastalert configuration file must also contain login credentials, like in this example:

es_username: elastic
es_password: changeme

Volumes

  • /opt/logs - Elastalert and Supervisord logs will be written to this directory.
  • /opt/config - Elastalert (elastalert_config.yaml) and Supervisord (elastalert_supervisord.conf) configuration files.
  • /opt/rules - Contains Elastalert rules.<br/>

Environment

  • SET_CONTAINER_TIMEZONE - Set to "true" (without quotes) to set the timezone when starting a container. Default is false.
  • CONTAINER_TIMEZONE - Timezone to use in container. Default is Europe/Stockholm.
  • ELASTICSEARCH_USER - Name of user to log into Ealsticsearch with. Leave undefined for no authentication.
  • ELASTICSEARCH_PASSWORD - Password to log into Elasticsearch with. Leave undefined for no authentication.
  • ELASTICSEARCH_TLS - Use HTTPS when connecting to Elasticsearch (true/false). Default is false.
  • ELASTICSEARCH_TLS_VERIFY - Verify server (Elasticsearch) certificate (true/false). Default is false.
Docker Pull Command
Owner
ivankrizsan
Source Repository

Comments (17)
ivankrizsan
24 days ago

Added support for HTTP basic authentication and tested with Elasticsearch 5.4.0 with X-Pack security enabled.

buinauskasevaldas
2 months ago

Can elastalert reach elasticsearch instance that does run on already existing (non-docker) machine?

My docker-compose.yml file looks like that:

version: '3'
services:
elastalert:
image: ivankrizsan/elastalert:latest
cap_add:
  - SYS_TIME
  - SYS_NICE
volumes:
  - ./config:/opt/config
  - ./logs:/opt/logs
  - ./rules:/opt/rules
environment:
  - ELASTICSEARCH_HOST=100.100.100.188
  - ELASTICSEARCH_PORT=9200

Running that I get the following error:

WARNING:elasticsearch:GET http://elasticsearchhost:9200/ [status:N/A request:5.008s]
Traceback (most recent call last):
File "build/bdist.linux-x86_64/egg/elasticsearch/connection/http_requests.py", line 75, in perform_request
timeout=timeout or self.timeout)
File "/usr/lib/python2.7/site-packages/requests-2.13.0-py2.7.egg/requests/sessions.py", line 609, in send
r = adapter.send(request, **kwargs)
File "/usr/lib/python2.7/site-packages/requests-2.13.0-py2.7.egg/requests/adapters.py", line 487, in send
raise ConnectionError(e, request=request)
ivankrizsan
2 months ago

There recently was an issue due to an incompatible version of twilio but this has been corrected (thanks danibaeyens!). Only latest tag has been updated (not sure it affects any other tags).

buinauskasevaldas
2 months ago

How could I resolve issues such as invalid import operations? Attaching Gist with configuration and stderr: https://gist.github.com/buinauskasevaldas/d5db27cbf5c6d9b7592bcffd9f12e9f9

theindra
3 months ago

The IP-address of my linked elasticsearch service is reachable but i can't resolve the ip-address from the hostname. Is there something special with the DNS?

If i add a entry in the file /etc/hosts it works.

ivankrizsan
3 months ago

@theindra
Sorry, I have never tried this Docker image with Docker Cloud. If you do solver the issue, please let me know!

theindra
3 months ago

I tried to start your elastalert image with DockerCloud with the following entry in the Stackfile:

cap_add:

- SYS_TIME
- SYS_NICE

But it doesn't work. I always the this error:
[prod-elastalert-1]2017-03-20T12:34:48.313582907Z Container timezone not modified
[prod-elastalert-1]2017-03-20T12:34:48.313626140Z Waiting for Elasticsearch...
[prod-elastalert-1]2017-03-20T12:34:48.313736309Z reset adjtime failed: Operation not permitted
[prod-elastalert-1]2017-03-20T12:34:48.313785236Z constraint certificate verification turned off
[prod-elastalert-1]2017-03-20T12:34:48.313804951Z adjtimex failed: Operation not permitted
[prod-elastalert-1]2017-03-20T12:34:49.307802684Z Waiting for Elasticsearch...

When i try to ping ping my elasticsearch container i get the error:
ping: bad address: 'elasticsearchhost'

But the service/container is linked to elastalert service.
Any ideas what I'm doing wrong here?

ivankrizsan
5 months ago

@cecchisandrone
No idea really - I just package Elastalert up in this Docker image.
If you got X-Pack then you got Watcher, which may be an alternative to Elastalert for you.

cecchisandrone
5 months ago

Is there a way to make it work with X-Pack (authentication) in ELK?

ivankrizsan
7 months ago

Merged pull request which fixes the issue in the "latest" tag. Thanks!