(myvenv) [sooabia@docker-registry ~]$ mkdir ElastAlert

(myvenv) [sooabia@docker-registry ~]$ cd ElastAlert
(myvenv) [sooabia@docker-registry ElastAlert]$

(myvenv) [sooabia@docker-registry ElastAlert]$ wget https://github.com/Yelp/elastalert/blob/master/config.yaml.example


(myvenv) [sooabia@docker-registry ElastAlert]$ mv config.yaml.example config.yaml

(myvenv) [sooabia@docker-registry ElastAlert]$ vim config.yaml

# This is the folder that contains the rule yaml files
# Any .yaml file will be loaded as a rule
rules_folder: example_rules

# How often ElastAlert will query Elasticsearch
# The unit can be anything from weeks to seconds
run_every:
minutes: 1

# ElastAlert will buffer results from the most recent
# period of time, in case some log sources are not in real time
buffer_time:
minutes: 15

# The Elasticsearch hostname for metadata writeback
# Note that every rule can have its own Elasticsearch host
es_host: 124.136.171.48

# The Elasticsearch port
es_port: 5510

# The AWS region to use. Set this when using AWS-managed elasticsearch
#aws_region: us-east-1

# The AWS profile to use. Use this if you are using an aws-cli profile.
# See http://docs.aws.amazon.com/cli/latest/userguide/cli-chap-getting-started.html
# for details
#profile: test

# Optional URL prefix for Elasticsearch
#es_url_prefix: elasticsearch

# Connect with TLS to Elasticsearch
#use_ssl: True

# Verify TLS certificates
#verify_certs: True

# GET request with body is the default option for Elasticsearch.
# If it fails for some reason, you can pass 'GET', 'POST' or 'source'.
# See http://elasticsearch-py.readthedocs.io/en/master/connection.html?highlight=send_get_body_as#transport
# for details
#es_send_get_body_as: GET

# Option basic-auth username and password for Elasticsearch
#es_username: someusername
#es_password: somepassword

# Use SSL authentication with client certificates client_cert must be
# a pem file containing both cert and key for client
#verify_certs: True
#ca_certs: /path/to/cacert.pem
#client_cert: /path/to/client_cert.pem
#client_key: /path/to/client_key.key

# The index on es_host which is used for metadata storage
# This can be a unmapped index, but it is recommended that you run
# elastalert-create-index to set a mapping
writeback_index: elastalert_status

# If an alert fails for some reason, ElastAlert will retry
# sending the alert until this time period has elapsed
alert_time_limit:
days: 2

(myvenv) [sooabia@docker-registry ElastAlert]$ vim rule.http.status.404.yaml

# Alert when the rate of events exceeds a threshold

# (Required)
# Rule name, must be unique
name: 404Log

# (Required)
# Type of alert.
# the frequency rule type alerts when num_events events occur with timeframe time
# type: frequency
type: any

# (Required)
# Index to search, wildcard supported
index: accesslog

# use_strftime_index: true

# (Required, frequency specific)
# Alert when this many documents matching the query occur within a timeframe
# num_events: 1

# (Required, frequency specific)
# num_events must occur within this amount of time to trigger an alert
# timeframe:
# hours: 1

# (Required)
# A list of Elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- query:
query_string:
query: "response: 404"

# (Required)
# The alert is use when a match is found
alert:
- "slack":
slack_webhook_url: "https://hooks.slack.com/services/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"
slack_username_override: 'Sanse'
slack_channel_override: '#general'
#slack_emoji_override: ':emoji:'

(myvenv) [sooabia@docker-registry ElastAlert]$ elastalert-test-rule rule.http.status.404.yaml