Open in app

Sign in

Write

Sign in

Installing ElastAlert [Part 3]

Valente Security Labs
3 min readMay 2, 2021

The function of alerting in Elasticsearch Stack is paid. But the opensource tool called ElastAlert gives us the ability to integrate with our Elasticsearch Stack and send alerts.

This tutorial is part of the article “SECaaS — Security as a Service”. I recommend you to read this article before to understand the basics and the purpose of this lab.

ElastAlert Installation

This tutorial is performed on the Elasticsearch Stack machine.

In this step we are going to install ElastAlert and Slack to receive the alerts.

ElastAlert uses python 3.6 to work, check if your python module is greater than 3.6.

python -V

If you are running python2.7, you have to change it to 3.6.

$ sudo add-apt-repository ppa:deadsnakes/ppa
$ sudo apt update
$ sudo apt install python3.6

Choose the default python configuration.

$ sudo update-alternatives --install /usr/bin/python python /usr/bin/python 2.7 1$ sudo update-alternatives --install /usr/bin/python python /usr/bin/python 3.6 2$ sudo update-alternatives --config python

Choose the python3.6 as default and exit.

We also need to have pip to install some dependencies of ElastAlert.

$ sudo apt install python3-pip

Install ElastAlert and its components.

$ cd /etc/
$ git clone https://github.com/Yelp/elastalert.git
$ pip3 install setuptools>=11.3
$ pip3 install PyYAML==5.1

Installing Slack

ElastAlert can communicate with lots of platform such as Slack, Jira, ServiceNow and many others. Check here what tools ElastAlerts can integrate.

In this demos we are using Slack.

Installing Slack is not part of this article, so follow the instructions below to install Slack in your machine.

Baixar o Slack para Windows

Usar o Slack no Windows nunca foi tão fácil com o app Slack para computadores. Confira as etapas abaixo para começar…

slack.com

Baixar Slack para Linux (Beta)

O app Slack para computadores é o jeito mais fácil de usar o Slack no Linux. Para começar, confira as etapas abaixo…

slack.com

After you install Slack, you have to create an Space to receive the alerts, save the WebHook URL.

In the Slack main configuration page, go to: Configure Apps > Personalized integrations > WebHook > Configurations> Edit.

At the botton of the page, save the URL to this WebHook.

It seems like.

https://hooks.slack.com/services/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h

Configuring ElastAlert

First, we have to create an directory to store our rules.

$ cd /etc/elastalert/
$ mkdir rules

Before we configure the rules directory, change the configuration file /etc/elastalert/config.yaml to connect with Elasticsearch.

Change the items in bold.

$ vim /etc/elastalert/config.yamlrules_folder: rules
run_every:
  minutes: 1
buffer_time:
  minutes: 15
es_host: localhost
es_port: 9200

Save the file and quit.

Create the index in Elasticsearch that the alerts will be stored.

$ elastalert-create-index

The template of the rules, and other examples, can be found in /etc/elastalert/example_rules .

For testing purpose, we will use ssh.yamltemplate.

Copy it to the rules folder that we create and edit the file.

$ cp /etc/elastalert/example_rules/ssh.yaml /etc/elastalert/rules/
$ sudo vim /etc/elastalert/rules/ssh.yaml

This rules identify the abuse on SSH connection. The rules looks like as follow. You can define the parameters as you necessity.

You have to change the lines in bold.

Do not forget to insert your WebHook URL saved in the previous step.

name: SSH success authentication (ElastAlert 3.0.1) - 2
type: frequency
num_events: 1
timeframe:
  minutes: 60
filter:
- query:
    query_string:
      query: "event.type:authentication_failure"
index: auditbeat-*
realert:
  minutes: 1query_key:
  - source.ipinclude:
  - host.hostname
  - user.name
  - source.ipinclude_match_in_root: true
alert_subject: "SSH failed authentication on {} | <{}|Show Dashboard>"
alert_subject_args:
  - host.hostname
  - kibana_linkalert_text: |-
  A failed authentication was detected on {}.
  The attacker looks like:
  User: {}
  IP: {}
alert_text_args:
  - host.hostname
  - user.name
  - source.ip
alert:
 - slackslack_webhook_url: "<WebHook_URL>"
slack_username_override: "ElastAlert"alert_text_type: alert_text_only
use_kibana4_dashboard: "https://dev.securely.ai/app/kibana#/dashboard/37739d80-a95c-11e9-b5ba-33a34ca252fb"

You can create as many rules as you want just following the ElastAlert structure.

Test the rule.

$ elastalert-test-rule --config /etc/elastalert/config.yaml /etc/elastalert/rules/ssh.yaml

The result should output no error.

Create a ElastAlert Service

To configure ElastAlert run in background, you should create a service.

Create the configuration file in systemddirectory.

$ cd /etc/systemd/system/
$ sudo vim elastalert.service

Insert the settings below.

[Unit]
Description=elastalert
After=multi-user.target[Service]
Type=simple
User=root
Group=root
WorkingDirectory=/etc/elastalert/
ExecStart=/usr/bin/python -m elastalert.elastalert --verbose --config /etc/elastalert/config.yaml
StandardOutput=syslog
StandardError=syslog
KillSignal=SIGKILL[Install]
WantedBy=multi-user.target

Save and exit.

Reload the daemon and start the service.

$ sudo systemctl daemon-reload
$ sudo systemctl start elastalert

You now can see the alerts in your Slack channel.

Wrap-up

In this post we configure ElastAlert to send alerts. In the next article we will configure Snort to collect data from the network.

--

--

Valente Security Labs

Written by Valente Security Labs

51 Followers

Information security for study purpose only and more!

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams