Centralized logging is a fantastic tool, especially if you are able to take it from collection-only, to realtime action. The tools that enable realtime alerting, such as Watcher and ElastAlert, haven't been easy to use as it is focused on file based configuration.

BitSensor now open-sources our ElastAlert plugin, that enables realtime alerting on top of ElasticSearch and is fully integrated into Kibana. It takes under 5 minutes to setup, as we have packed everything for you.


Installation

CD to your Kibana folder. Then:

Installing ElastAlert plugin into Kibana./bin/kibana plugin -i elastalert -u https://git.bitsensor.io/front-end/elastalert-kibana-plugin/builds/5251/artifacts/file/build/elastalert-0.0.6.zip
Clone into ElastAlert Server with the Docker containergit clone https://git.bitsensor.io/back-end/elastalert.git
cd elastalert
Build the container locallydocker build . -t elastalert
Run the container, map the configuration files and folders, and expose port 3030 to our hostdocker run -d \
-p 3030:3030 \
-v `pwd`/config/elastalert.yaml:/opt/elastalert/config.yaml \
-v `pwd`/config/elastalert-server.json:/opt/elastalert-server/config/config.json \
-v `pwd`/rules:/opt/elastalert/rules \
--net="host" \
elastalert:latest
Start kibanacd ../
./bin/kibana

Depending on the location of the ElasticSearch cluster, you might have to change configurations files accordingly. 

That's it!

Feel free to share your results, open a PR, and open issues on https://git.bitsensor.io/front... and https://git.bitsensor.io/back-.... (or https://github.com/bitsensor/e... and https://github.com/bitsensor/e... on GitHub)

Just an example

Send a Slack alert on every attack on your application. It will tell you who is attacking you, the tools used, and the application that is under threat.

# Index to search, wildcard supported
index: bitsensor
timestamp_field: endpoint.localtime

# Rule name, must be unique
name: Alert on Attack

# Type of alert.
type: any
realert:
minutes: 0

# A list of elasticsearch filters used for find events
# These filters are joined with AND and nested in a filtered query
# For more info: http://www.elasticsearch.org/guide/en/elasticsearch/reference/current/query-dsl.html
filter:
- nested:
path: detections
query:
exists:
field: detections

include:
- endpoint.location
- endpoint.name
- context.http.userAgent
- context.ip
- context.php.session.sessionId
- detections.type
- detections.name

alert_subject: "Attack on {}"
alert_subject_args:
- endpoint.name

alert_text_type: alert_text_only
alert_text: "Detection triggered at {}\nIP: {} \nUser-Agent: {}"
alert_text_args:
- endpoint.location
- context.ip
- context.http.userAgent

# The alert is use when a match is found
alert:
- slack
slack_webhook_url: https://hooks.slack.com/services/*/*/*
slack_username_override: "BitSensor"
slack_channel_override: "#hacks"

More examples, such as a Spike or Frequency rule, are available at http://elastalert.readthedocs....

Kibana ElastAlert in action

More
about BitSensor

More about BitSensor

BitSensor uses big data correlation and efficient attack detection to create applications that defend themselves. Find out more.