Elasticsearch alert alert/elasticsearch

Description

This module will exports all alerts to an elasticsearch server. It also adds also some extra information such as geoip data.

Parameters

elasticsearch_server

Elasticsearch server address.

Warning

Be careful not to create security rules that block elasticsearch traffic.

elasticsearch_index

Elasticsearch index.

Note

If this field is missing, Haka will use ips as default kibana index.

geoip_database

Absolute file path to geoip data file. Optional field that provides geolocalization support.

Example :

[alert]
# Select the alert module
module = "alert/elasticsearch"

# alert/elasticsearch module option
elasticsearch_server = "http://127.0.0.1:9200"
#elasticsearch_index = "ips"
geoip_database = "/usr/share/GeoIP/GeoIP.dat"

Kibana and Elasticsearch setup

  • Install and start Elasticsearch server
sudo dpkg -i elasticsearch-<version>.deb
sudo service elasticsearch start
  • Install and setup Kibana
tar -zxvf kibana-<version>.tar.gz \
    --strip-components=1 \
        -C <webserver-path>/kibana

Note

you may need to edit ‘config.js’ file and set the elasticsearch address (e.g. elasticsearch = http://127.0.0.1:9200)

Kibana dashboard

The dashboard ips_dahsboard.json is an example of a Kibana dashboard that shows some info about haka alerts.

Note

Set the elasticsearch index to elasticsearch_index value in the main kibana dashboard setting.