ElastAlert

We're currently working on integrating ElastAlert into Security Onion with our move to the Elastic stack.

Description

From http://elastalert.readthedocs.io/en/latest/elastalert.html#overview:

ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch.

At Yelp, we use Elasticsearch, Logstash and Kibana for managing our ever increasing amount of data and logs. Kibana is great for visualizing and querying data, but we quickly realized that it needed a companion tool for alerting on inconsistencies in our data. Out of this need, ElastAlert was created. If you have data being written into Elasticsearch in near real time and want to be alerted when that data matches certain patterns, ElastAlert is the tool for you.

ElastAlert runs as a Docker container within Security Onion, queries ElasticSearch, and provides an alerting mechanism with multiple output types, such as Slack, Email, JIRA, OpsGenie, and many more.

Configuration

ElastAlert rules are stored in /etc/elastalert/rules/.

Security Onion's default ElastAlert rules are configured with an output type of "debug", which simply outputs all matches queries to a log file, found in /var/log/elastalert/elastalert_stderr.log.

To have ElastAlert send alerts to something like Slack, we can simply change the alert type and details for a rule like so:

alert:
- "slack":
    slack_webhook_url: "https://hooks.slack.com/services/YOUR_WEBHOOK_URI"

To have ElastAlert send to email, we could do something like the following:

alert:
- "email"
email:
- "[email protected]"

More Information

You can learn more about ElastAlert and its output types here:

http://elastalert.readthedocs.io/en/latest/