Alerting in ELK stack?

We are using the ELK stack (logstash, elasticsearch, kibana) to analyze
our logs. So far, so good.

But now we want notification generation on some particular kind of logs. Eg
When a login failed logs comes more than 5 times (threshold crossed) an
email to be sent to the sysadmin.

I looked up online and heard about statsd, riemann, nagios, metric
filter (logstash) to achieve our requirement.

Can anyone suggest which fits best with ELK stack?? I am new to this. Thanks

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/d8d3b4ef-b687-4e2c-bfe8-64519f9a456a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

The solutions I've seen for things like this in ELK usually are on the
lines of using logstash to reparse the logs in ES and use some output
(e-mail, nagios, Zabbix) to do the alerting.

For now I've stick with using OSSEC (www.ossec.net) to do my alerting and
"just" use ELK for log analysis.

On Monday, June 23, 2014 5:50:22 AM UTC-3, Siddharth Trikha wrote:

We are using the ELK stack (logstash, elasticsearch, kibana) to analyze
our logs. So far, so good.

But now we want notification generation on some particular kind of logs.
Eg When a login failed logs comes more than 5 times (threshold crossed) an
email to be sent to the sysadmin.

I looked up online and heard about statsd, riemann, nagios, metric
filter (logstash) to achieve our requirement.

Can anyone suggest which fits best with ELK stack?? I am new to this.
Thanks

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/f05ec9c0-9c69-4b07-8f32-e3742fadb718%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

@Antonio: I use email output for a particular pattern in a log. But for
example, when a particular logs comes more than 5 times, for alerting for
this a state needs to be maintained which is not there in logstash.

I don't know about OSSEC. But how to use it to achieve the above? Presently
logstash reads logs, ES stores it and kibana presents it. How OSSEC fits
here?

On Monday, 23 June 2014 15:50:36 UTC+5:30, Antonio Augusto Santos wrote:

The solutions I've seen for things like this in ELK usually are on the
lines of using logstash to reparse the logs in ES and use some output
(e-mail, nagios, Zabbix) to do the alerting.

For now I've stick with using OSSEC (www.ossec.net) to do my alerting and
"just" use ELK for log analysis.

On Monday, June 23, 2014 5:50:22 AM UTC-3, Siddharth Trikha wrote:

We are using the ELK stack (logstash, elasticsearch, kibana) to analyze
our logs. So far, so good.

But now we want notification generation on some particular kind of logs.
Eg When a login failed logs comes more than 5 times (threshold crossed) an
email to be sent to the sysadmin.

I looked up online and heard about statsd, riemann, nagios,
metric filter (logstash) to achieve our requirement.

Can anyone suggest which fits best with ELK stack?? I am new to this.
Thanks

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/7ad5d8cf-41a8-4cbf-b4ba-90de0dba80c0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

I haven't done it yet.. but my plan is to simply do REST searches.. and if
I get a lot of alerts and want to check often.. I'd switch to setting up
percolators.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/7ff6253e-698b-43e8-acda-1227a3b694f0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

OSSEC is a HIDS (Host Intrusion Detection SYstem), its objective is to
parse logs, check the logs against rules and send alerts. It has a vast
amount of rules already defined, so when it starts checking your logs it
will start firing alerts.

In my architecture OSSEC fits outside the ELK stack. It parses the logs (as
Logstash) but write alerts to files and send alerts by email.
I've another logstash instance that reads the alerts from OSSEC, so I can
have a nice Dashboard for them on Kibana.

On Monday, June 23, 2014 7:49:03 AM UTC-3, Siddharth Trikha wrote:

@Antonio: I use email output for a particular pattern in a log. But for
example, when a particular logs comes more than 5 times, for alerting for
this a state needs to be maintained which is not there in logstash.

I don't know about OSSEC. But how to use it to achieve the above?
Presently logstash reads logs, ES stores it and kibana presents it. How
OSSEC fits here?

On Monday, 23 June 2014 15:50:36 UTC+5:30, Antonio Augusto Santos wrote:

The solutions I've seen for things like this in ELK usually are on the
lines of using logstash to reparse the logs in ES and use some output
(e-mail, nagios, Zabbix) to do the alerting.

For now I've stick with using OSSEC (www.ossec.net) to do my alerting
and "just" use ELK for log analysis.

On Monday, June 23, 2014 5:50:22 AM UTC-3, Siddharth Trikha wrote:

We are using the ELK stack (logstash, elasticsearch, kibana) to
analyze our logs. So far, so good.

But now we want notification generation on some particular kind of logs.
Eg When a login failed logs comes more than 5 times (threshold crossed) an
email to be sent to the sysadmin.

I looked up online and heard about statsd, riemann, nagios,
metric filter (logstash) to achieve our requirement.

Can anyone suggest which fits best with ELK stack?? I am new to this.
Thanks

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/ba8d6ae3-4652-4618-b5a0-45fddeb313cd%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

So inputing log files to logstash-parse-store-view them and separately
doing this for alerts:ossec-parse-alert, will this not create redudancy??

Does OSSEC has rules for threshold crossing?? Any suggestions which fits my
scenario best?

On Monday, 23 June 2014 16:55:54 UTC+5:30, Antonio Augusto Santos wrote:

OSSEC is a HIDS (Host Intrusion Detection SYstem), its objective is to
parse logs, check the logs against rules and send alerts. It has a vast
amount of rules already defined, so when it starts checking your logs it
will start firing alerts.

In my architecture OSSEC fits outside the ELK stack. It parses the logs
(as Logstash) but write alerts to files and send alerts by email.
I've another logstash instance that reads the alerts from OSSEC, so I can
have a nice Dashboard for them on Kibana.

On Monday, June 23, 2014 7:49:03 AM UTC-3, Siddharth Trikha wrote:

@Antonio: I use email output for a particular pattern in a log. But for
example, when a particular logs comes more than 5 times, for alerting for
this a state needs to be maintained which is not there in logstash.

I don't know about OSSEC. But how to use it to achieve the above?
Presently logstash reads logs, ES stores it and kibana presents it. How
OSSEC fits here?

On Monday, 23 June 2014 15:50:36 UTC+5:30, Antonio Augusto Santos wrote:

The solutions I've seen for things like this in ELK usually are on the
lines of using logstash to reparse the logs in ES and use some output
(e-mail, nagios, Zabbix) to do the alerting.

For now I've stick with using OSSEC (www.ossec.net) to do my alerting
and "just" use ELK for log analysis.

On Monday, June 23, 2014 5:50:22 AM UTC-3, Siddharth Trikha wrote:

We are using the ELK stack (logstash, elasticsearch, kibana) to
analyze our logs. So far, so good.

But now we want notification generation on some particular kind of
logs. Eg When a login failed logs comes more than 5 times (threshold
crossed) an email to be sent to the sysadmin.

I looked up online and heard about statsd, riemann, nagios,
metric filter (logstash) to achieve our requirement.

Can anyone suggest which fits best with ELK stack?? I am new to this.
Thanks

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/b88ce0be-0a32-4bee-8d68-6d1ea324aa5e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Yes, it adds redundancy, but, for now, I think its the best option.

OSSEC has a very flexible analysing system, and it should fit your needs
without much trouble.

On Monday, June 23, 2014 8:42:46 AM UTC-3, Siddharth Trikha wrote:

So inputing log files to logstash-parse-store-view them and separately
doing this for alerts:ossec-parse-alert, will this not create redudancy??

Does OSSEC has rules for threshold crossing?? Any suggestions which fits
my scenario best?

On Monday, 23 June 2014 16:55:54 UTC+5:30, Antonio Augusto Santos wrote:

OSSEC is a HIDS (Host Intrusion Detection SYstem), its objective is to
parse logs, check the logs against rules and send alerts. It has a vast
amount of rules already defined, so when it starts checking your logs it
will start firing alerts.

In my architecture OSSEC fits outside the ELK stack. It parses the logs
(as Logstash) but write alerts to files and send alerts by email.
I've another logstash instance that reads the alerts from OSSEC, so I can
have a nice Dashboard for them on Kibana.

On Monday, June 23, 2014 7:49:03 AM UTC-3, Siddharth Trikha wrote:

@Antonio: I use email output for a particular pattern in a log. But for
example, when a particular logs comes more than 5 times, for alerting for
this a state needs to be maintained which is not there in logstash.

I don't know about OSSEC. But how to use it to achieve the above?
Presently logstash reads logs, ES stores it and kibana presents it. How
OSSEC fits here?

On Monday, 23 June 2014 15:50:36 UTC+5:30, Antonio Augusto Santos wrote:

The solutions I've seen for things like this in ELK usually are on the
lines of using logstash to reparse the logs in ES and use some output
(e-mail, nagios, Zabbix) to do the alerting.

For now I've stick with using OSSEC (www.ossec.net) to do my alerting
and "just" use ELK for log analysis.

On Monday, June 23, 2014 5:50:22 AM UTC-3, Siddharth Trikha wrote:

We are using the ELK stack (logstash, elasticsearch, kibana) to
analyze our logs. So far, so good.

But now we want notification generation on some particular kind of
logs. Eg When a login failed logs comes more than 5 times (threshold
crossed) an email to be sent to the sysadmin.

I looked up online and heard about statsd, riemann, nagios,
metric filter (logstash) to achieve our requirement.

Can anyone suggest which fits best with ELK stack?? I am new to this.
Thanks

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/db98e711-254e-4a33-8592-c5277fc1a9fb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

We use Nagios for alerting. I originally was using the nsca output plugin
for logstash, but found that it took close to a second to execute the
command line nsca client, and if we got flooded with alert messages,
logstash would fall behind. I've since switched to use the http output and
send json to the nagios-api server (GitHub - zorkian/nagios-api: A REST-like, JSON interface to Nagios).
That seems to scale a lot better.

We do also have metrics sent from logstash to statsd/graphite, but mostly
so I can see message rates.

mike

On Monday, June 23, 2014 4:50:22 AM UTC-4, Siddharth Trikha wrote:

We are using the ELK stack (logstash, elasticsearch, kibana) to analyze
our logs. So far, so good.

But now we want notification generation on some particular kind of logs.
Eg When a login failed logs comes more than 5 times (threshold crossed) an
email to be sent to the sysadmin.

I looked up online and heard about statsd, riemann, nagios, metric
filter (logstash) to achieve our requirement.

Can anyone suggest which fits best with ELK stack?? I am new to this.
Thanks

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/d609f39f-e452-44e8-a962-0e4b2a88e920%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

We have and use SPM http://sematext.com/spm/ for all our metrics (ES,
Kafka, Apache, MySQL, Hadoop, everything) and we feed our logs to Logsene
http://sematext.com/logsene/ (it has a Kibana UI and a "native" UI). SPM
has alerting and anomaly detection, so we use that to get out of bed early
(nah, not really), but we currently lack alerting in Logsene (i.e. alerting
on numerical data in logs or on patterns). Since Logsene has Kibana UI and
can be fed via Logstash and has an Elasticsearch API and backend, that's
the closest we've gotten to ELK+Alerts.

Otis

Performance Monitoring * Log Analytics * Search Analytics
Solr & Elasticsearch Support * http://sematext.com/

On Wednesday, June 25, 2014 11:18:01 AM UTC-4, Michael Hart wrote:

We use Nagios for alerting. I originally was using the nsca output plugin
for logstash, but found that it took close to a second to execute the
command line nsca client, and if we got flooded with alert messages,
logstash would fall behind. I've since switched to use the http output and
send json to the nagios-api server (GitHub - zorkian/nagios-api: A REST-like, JSON interface to Nagios).
That seems to scale a lot better.

We do also have metrics sent from logstash to statsd/graphite, but mostly
so I can see message rates.

mike

On Monday, June 23, 2014 4:50:22 AM UTC-4, Siddharth Trikha wrote:

We are using the ELK stack (logstash, elasticsearch, kibana) to analyze
our logs. So far, so good.

But now we want notification generation on some particular kind of logs.
Eg When a login failed logs comes more than 5 times (threshold crossed) an
email to be sent to the sysadmin.

I looked up online and heard about statsd, riemann, nagios,
metric filter (logstash) to achieve our requirement.

Can anyone suggest which fits best with ELK stack?? I am new to this.
Thanks

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/71f99e2b-6557-4be4-a68d-2df08e53e595%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Nagios recently released a new Log Analysis
http://www.nagios.com/products/nagios-log-server product called Nagios
Log Server which is built using the ELK stack and provides alerting,
authentication, GUI logstash configuration for the whole cluster and a ton
more.

Alerts based on any query can be sent directly to Nagios, Email, SNMP
traps, custom script execution and more...

Scott

On Monday, June 23, 2014 3:50:22 AM UTC-5, Siddharth Trikha wrote:

We are using the ELK stack (logstash, elasticsearch, kibana) to analyze
our logs. So far, so good.

But now we want notification generation on some particular kind of logs.
Eg When a login failed logs comes more than 5 times (threshold crossed) an
email to be sent to the sysadmin.

I looked up online and heard about statsd, riemann, nagios, metric
filter (logstash) to achieve our requirement.

Can anyone suggest which fits best with ELK stack?? I am new to this.
Thanks

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/8e05f6ad-8277-4086-8f23-116e0f1698c6%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.