Elasticsearch alert alert/elasticsearch¶
Description¶
This module will exports all alerts to an elasticsearch server. It also adds also some extra information such as geoip data.
Parameters¶
- elasticsearch_server
Elasticsearch server address.
Warning
Be careful not to create security rules that block elasticsearch traffic.
- elasticsearch_index
Elasticsearch index.
Note
If this field is missing, Haka will use ips as default kibana index.
- geoip_database
Absolute file path to geoip data file. Optional field that provides geolocalization support.
Example :
[alert]
# Select the alert module
module = "alert/elasticsearch"
# alert/elasticsearch module option
elasticsearch_server = "http://127.0.0.1:9200"
#elasticsearch_index = "ips"
geoip_database = "/usr/share/GeoIP/GeoIP.dat"
Kibana and Elasticsearch setup¶
- Install and start Elasticsearch server
sudo dpkg -i elasticsearch-<version>.deb
sudo service elasticsearch start
- Install and setup Kibana
tar -zxvf kibana-<version>.tar.gz \
--strip-components=1 \
-C <webserver-path>/kibana
Note
you may need to edit ‘config.js’ file and set the elasticsearch address (e.g. elasticsearch = http://127.0.0.1:9200)
Kibana dashboard¶
The dashboard ips_dahsboard.json is an example of a Kibana dashboard that shows some info about haka alerts.
Note
Set the elasticsearch index to elasticsearch_index value in the main kibana dashboard setting.