Praeco Alerting for ElasticSearch (Part -1)

Praeco is an open-source tool for alerting Elasticsearch. It can build the alert for elasticsearch in an interactive query builder. A preview of the result will be shown in charts. This tool has an easy installation & configuration process which we will learn further in this blog. We can receive alerts on commonly used channels like slack, email, and many more.

This will have two parts- first, we install & configure the Praeco; in the second part, we learn – how to create an alert?

Why do we use this over others?

In terms of open-source tools which are used for alerting in elasticsearch the most popular option is elastalert. In this creating an alert is a very hectic process because one has to write YAML which can be sometimes frustrating for those who don’t know the syntax.

Now we have to search for other options, which leads us to Praeco. This provides an interactive GUI to create the alert condition and hassle-free integration with alert channels.

Requirement

A machine on which docker is installed & in a running state.
Port 8080 should be free because GUI will run on port 8080.

Elasticsearch cluster must be reachable from the machine.

Installation & Configuration

Clone the repository from the Github. You can do a simple google search with keywords like “Praeco elasticsearch” or use the below link.
git clone https://github.com/johnsusek/praeco.git

Change your directory to praeco and run the following commands to start the configuration of the tool.

cd praeco

mkdir -p rules rule_templates

This directory will hold rule configuration files that are used to trigger the alert.

chmod -R 777 rules rule_templates

Change the permission of the directory so the file can be added when you create an alert on GUI.

export PRAECO_ELASTICSEARCH=<Your elasticsearch IP>

Run the above command in the shell terminal. Replace the text with the IP of your elasticsearch node IP.

We have to change the few entries in a file name config/api.config.json. Which looks like this

{
“appName”: “elastalert-server”,
“port”: 3030,
“wsport”: 3333,
“elastalertPath”: “/opt/elastalert”,
“verbose”: false,
“es_debug”: false,
“debug”: false,
“rulesPath”: {
“relative”: true,
“path”: “/rules”
},
“templatesPath”: {
“relative”: true,
“path”: “/rule_templates”},
“es_host”: “<ElasticsearchhostIP>”,
“es_port”: <ElasticsearchPort>,
“es_ssl”: false,
“writeback_index”: “praeco_elastalert_status”
}

Replace with your elasticsearch host IP and Port and save the file.

“es_password”: “”,
“es_username”:

Remove these lines from the file if you are not using any authentication for elasticsearch.

To add the alerting in Praeco we have various methods which it supports. I will explain the adding an E-mail & slack option to Praeco.

Add these lines in the file rules/BaseRule.config.

alert:

– email

email:

– “teXXXXXXXXX@gmail.com“

from_addr: “XXXXXXX@XXXXXXXXX“

smtp_host: ‘smtp.gmail.com’

smtp_port: 465

smtp_ssl: true

smtp_auth_file: ‘/opt/elastalert/pass/gmail_auth.yaml’

After adding this information we need to add the username and password of the email from which the mail is sent to users. This password can be an app password that can be generated from the mail provider or enter the password of your user.

To do so edit the file ass/gmail_auth.yaml

user: teXXXXXXXX@gmail.com

password: XXXXXXXXXXXX

In the present directory, you have a docker compose file. Do not use that because we have made the changes as per the requirement so replace the docker compose with the below file.

version: ‘3’

services:

elastalert:

image: ‘praecoapp/elastalert-server’

ports:

– 3030:3030

– 3333:3333

volumes:

– ./config/elastalert.yaml:/opt/elastalert/config.yaml

– ./config/api.config.json:/opt/elastalert-server/config/config.json

– ./rules:/opt/elastalert/rules

– ./rule_templates:/opt/elastalert/rule_templates