Installing ElastAlert [Part 3]
The function of alerting in Elasticsearch Stack is paid. But the opensource tool called ElastAlert gives us the ability to integrate with our Elasticsearch Stack and send alerts.
This tutorial is part of the article “SECaaS — Security as a Service”. I recommend you to read this article before to understand the basics and the purpose of this lab.
ElastAlert Installation
This tutorial is performed on the Elasticsearch Stack machine.
In this step we are going to install ElastAlert and Slack to receive the alerts.
ElastAlert uses python 3.6 to work, check if your python module is greater than 3.6.
python -V
If you are running python2.7, you have to change it to 3.6.
$ sudo add-apt-repository ppa:deadsnakes/ppa
$ sudo apt update
$ sudo apt install python3.6
Choose the default python configuration.
$ sudo update-alternatives --install /usr/bin/python python /usr/bin/python 2.7 1$ sudo update-alternatives --install /usr/bin/python python /usr/bin/python 3.6 2$ sudo update-alternatives --config python
Choose the python3.6 as default and exit.
We also need to have pip to install some dependencies of ElastAlert.
$ sudo apt install python3-pip
Install ElastAlert and its components.
$ cd /etc/
$ git clone https://github.com/Yelp/elastalert.git
$ pip3 install setuptools>=11.3
$ pip3 install PyYAML==5.1
Installing Slack
ElastAlert can communicate with lots of platform such as Slack, Jira, ServiceNow and many others. Check here what tools ElastAlerts can integrate.
In this demos we are using Slack.
Installing Slack is not part of this article, so follow the instructions below to install Slack in your machine.
After you install Slack, you have to create an Space to receive the alerts, save the WebHook URL.
In the Slack main configuration page, go to: Configure Apps > Personalized integrations > WebHook > Configurations> Edit.
At the botton of the page, save the URL to this WebHook.
It seems like.
https://hooks.slack.com/services/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h
Configuring ElastAlert
First, we have to create an directory to store our rules.
$ cd /etc/elastalert/
$ mkdir rules
Before we configure the rules directory, change the configuration file /etc/elastalert/config.yaml
to connect with Elasticsearch.
Change the items in bold.
$ vim /etc/elastalert/config.yamlrules_folder: rules
run_every:
minutes: 1
buffer_time:
minutes: 15
es_host: localhost
es_port: 9200
Save the file and quit.
Create the index in Elasticsearch that the alerts will be stored.
$ elastalert-create-index
The template of the rules, and other examples, can be found in /etc/elastalert/example_rules
.
For testing purpose, we will use ssh.yaml
template.
Copy it to the rules folder that we create and edit the file.
$ cp /etc/elastalert/example_rules/ssh.yaml /etc/elastalert/rules/
$ sudo vim /etc/elastalert/rules/ssh.yaml
This rules identify the abuse on SSH connection. The rules looks like as follow. You can define the parameters as you necessity.
You have to change the lines in bold.
Do not forget to insert your WebHook URL saved in the previous step.
name: SSH success authentication (ElastAlert 3.0.1) - 2
type: frequency
num_events: 1
timeframe:
minutes: 60
filter:
- query:
query_string:
query: "event.type:authentication_failure"
index: auditbeat-*
realert:
minutes: 1query_key:
- source.ipinclude:
- host.hostname
- user.name
- source.ipinclude_match_in_root: true
alert_subject: "SSH failed authentication on {} | <{}|Show Dashboard>"
alert_subject_args:
- host.hostname
- kibana_linkalert_text: |-
A failed authentication was detected on {}.
The attacker looks like:
User: {}
IP: {}
alert_text_args:
- host.hostname
- user.name
- source.ip
alert:
- slackslack_webhook_url: "<WebHook_URL>"
slack_username_override: "ElastAlert"alert_text_type: alert_text_only
use_kibana4_dashboard: "https://dev.securely.ai/app/kibana#/dashboard/37739d80-a95c-11e9-b5ba-33a34ca252fb"
You can create as many rules as you want just following the ElastAlert structure.
Test the rule.
$ elastalert-test-rule --config /etc/elastalert/config.yaml /etc/elastalert/rules/ssh.yaml
The result should output no error.
Create a ElastAlert Service
To configure ElastAlert run in background, you should create a service.
Create the configuration file in systemd
directory.
$ cd /etc/systemd/system/
$ sudo vim elastalert.service
Insert the settings below.
[Unit]
Description=elastalert
After=multi-user.target[Service]
Type=simple
User=root
Group=root
WorkingDirectory=/etc/elastalert/
ExecStart=/usr/bin/python -m elastalert.elastalert --verbose --config /etc/elastalert/config.yaml
StandardOutput=syslog
StandardError=syslog
KillSignal=SIGKILL[Install]
WantedBy=multi-user.target
Save and exit.
Reload the daemon
and start the service.
$ sudo systemctl daemon-reload
$ sudo systemctl start elastalert
You now can see the alerts in your Slack channel.
Wrap-up
In this post we configure ElastAlert to send alerts. In the next article we will configure Snort to collect data from the network.