Elastalert Docker Image
Docker image with Elastalert on Alpine Linux.
Requires a link to a Docker container running Elasticsearch using the "elasticsearchhost" alias.
Assumes the use of port 9200 when communicating with Elasticsearch.<br/>
In order for the time of the container to be synchronized (ntpd), it must be run with the SYS_TIME capability.
In addition you may want to add the SYS_NICE capability, in order for ntpd to be able to modify its priority.
If Elasticsearch requires authentication, then the two environment variables listed below must contain user and password.
In addition, the Elastalert configuration file must also contain login credentials, like in this example:
es_username: elastic es_password: changeme
- /opt/logs - Elastalert and Supervisord logs will be written to this directory.
- /opt/config - Elastalert (elastalert_config.yaml) and Supervisord (elastalert_supervisord.conf) configuration files.
- /opt/rules - Contains Elastalert rules.<br/>
- SET_CONTAINER_TIMEZONE - Set to "true" (without quotes) to set the timezone when starting a container. Default is false.
- CONTAINER_TIMEZONE - Timezone to use in container. Default is Europe/Stockholm.
- ELASTICSEARCH_USER - Name of user to log into Ealsticsearch with. Leave undefined for no authentication.
- ELASTICSEARCH_PASSWORD - Password to log into Elasticsearch with. Leave undefined for no authentication.
- ELASTICSEARCH_TLS - Use HTTPS when connecting to Elasticsearch (true/false). Default is false.
- ELASTICSEARCH_TLS_VERIFY - Verify server (Elasticsearch) certificate (true/false). Default is false.
Added support for HTTP basic authentication and tested with Elasticsearch 5.4.0 with X-Pack security enabled.
Can elastalert reach elasticsearch instance that does run on already existing (non-docker) machine?
My docker-compose.yml file looks like that:
version: '3' services: elastalert: image: ivankrizsan/elastalert:latest cap_add: - SYS_TIME - SYS_NICE volumes: - ./config:/opt/config - ./logs:/opt/logs - ./rules:/opt/rules environment: - ELASTICSEARCH_HOST=100.100.100.188 - ELASTICSEARCH_PORT=9200
Running that I get the following error:
WARNING:elasticsearch:GET http://elasticsearchhost:9200/ [status:N/A request:5.008s] Traceback (most recent call last): File "build/bdist.linux-x86_64/egg/elasticsearch/connection/http_requests.py", line 75, in perform_request timeout=timeout or self.timeout) File "/usr/lib/python2.7/site-packages/requests-2.13.0-py2.7.egg/requests/sessions.py", line 609, in send r = adapter.send(request, **kwargs) File "/usr/lib/python2.7/site-packages/requests-2.13.0-py2.7.egg/requests/adapters.py", line 487, in send raise ConnectionError(e, request=request)
There recently was an issue due to an incompatible version of twilio but this has been corrected (thanks danibaeyens!). Only latest tag has been updated (not sure it affects any other tags).
The IP-address of my linked elasticsearch service is reachable but i can't resolve the ip-address from the hostname. Is there something special with the DNS?
If i add a entry in the file /etc/hosts it works.
Sorry, I have never tried this Docker image with Docker Cloud. If you do solver the issue, please let me know!
I tried to start your elastalert image with DockerCloud with the following entry in the Stackfile:
- SYS_TIME - SYS_NICE
But it doesn't work. I always the this error:
[prod-elastalert-1]2017-03-20T12:34:48.313582907Z Container timezone not modified
[prod-elastalert-1]2017-03-20T12:34:48.313626140Z Waiting for Elasticsearch...
[prod-elastalert-1]2017-03-20T12:34:48.313736309Z reset adjtime failed: Operation not permitted
[prod-elastalert-1]2017-03-20T12:34:48.313785236Z constraint certificate verification turned off
[prod-elastalert-1]2017-03-20T12:34:48.313804951Z adjtimex failed: Operation not permitted
[prod-elastalert-1]2017-03-20T12:34:49.307802684Z Waiting for Elasticsearch...
When i try to ping ping my elasticsearch container i get the error:
ping: bad address: 'elasticsearchhost'
But the service/container is linked to elastalert service.
Any ideas what I'm doing wrong here?
No idea really - I just package Elastalert up in this Docker image.
If you got X-Pack then you got Watcher, which may be an alternative to Elastalert for you.
Is there a way to make it work with X-Pack (authentication) in ELK?
Merged pull request which fixes the issue in the "latest" tag. Thanks!