Elasticsearch alert alert/elasticsearch¶

Description¶

This module will exports all alerts to an elasticsearch server. It also adds also some extra information such as geoip data.

Parameters¶

elasticsearch_server: Elasticsearch server address.

Warning

Be careful not to create security rules that block elasticsearch traffic.

elasticsearch_index: Elasticsearch index.

Note

If this field is missing, Haka will use ips as default kibana index.

geoip_database: Absolute file path to geoip data file. Optional field that provides geolocalization support.

Example :

[alert]
# Select the alert module
module = "alert/elasticsearch"

# alert/elasticsearch module option
elasticsearch_server = "http://127.0.0.1:9200"
#elasticsearch_index = "ips"
geoip_database = "/usr/share/GeoIP/GeoIP.dat"

Kibana and Elasticsearch setup¶

Install and start Elasticsearch server

sudo dpkg -i elasticsearch-<version>.deb
sudo service elasticsearch start

Install and setup Kibana

tar -zxvf kibana-<version>.tar.gz \
    --strip-components=1 \
        -C <webserver-path>/kibana

Note

you may need to edit ‘config.js’ file and set the elasticsearch address (e.g. elasticsearch = http://127.0.0.1:9200)

Kibana dashboard¶

The dashboard ips_dahsboard.json is an example of a Kibana dashboard that shows some info about haka alerts.

Note

Set the elasticsearch index to elasticsearch_index value in the main kibana dashboard setting.