Can someone help me on how to configure the watcher in 6.6 version

I am new to ELK Stack and exploring all the options it has offered to the users.
Right now ,i am stuck with the alerting (watcher),Can any one please let me know how to the do the watcher configuration and set the alerts.
i am using kibana with 6.6v and had enabled the x-pack features as well.

Any help is really appreciated.

Hi @kamaleshwar,

Where are you stuck at? You need to go to management > watchers and click on "Create advanced watch". From there, the watch configuration is taken from the Elasticsearch API: https://www.elastic.co/guide/en/elasticsearch/reference/current/watcher-api-put-watch.html

Let me know if you have further questions.

Hi @sebastien
Currently i am stuck in adding the actions for the watcher, I am able to provide some threashold value based on the metric beats (system.cpu.pct) and i am able to view the graph for the provided condition.
when i click on Add new action ,I see the email and slash showing as "Disabled.Configure elasticsearch.yml" but i am not sure what configurations needs to be done to make it enabled.
Can you please guide me on the configurations that needs to be done .

Thanks in Advance,

For the email action you need to configure elasticsearch.yml file according to those settings:
https://www.elastic.co/guide/en/elastic-stack-overview/6.6/actions-email.html

For the slack action, these are the settings you need to set:
https://www.elastic.co/guide/en/elastic-stack-overview/6.6/actions-slack.html#configuring-slack

Hi @sebastien,

I am trying to configure the email action using a test email address of outlook . I followed the configuration as provided for "Sending Email from Outlook.com" .I copied the below provided on devtool and when executed got the error(below the one executed in devtool)

xpack.notification.email.account:
outlook_account:
profile: outlook
smtp:
auth: true
starttls.enable: true
host: smtp-mail.outlook.com
port: 587
user: xxxxxxx@outlook.com
{

"statusCode": 400,
"error": "Bad Request",
"message": "child "method" fails because ["method" must be one of [HEAD, GET, POST, PUT, DELETE]]. child "path" fails because ["path" is not allowed to be empty]",
"validation": {
"source": "query",
"keys": [
"method",
"path"
]
}
}

Can you please help me out ,what i am missing that was supposed to be given.

Hello,
Could you please use the formatter for the code as it quite difficult to read.
Also, you mention that you copied it in devtool, and the configuration has to be put in the elasticsearch.yml file.

Hi @sebastien ,

I do added the provided configuration in elasticsearch.yml and after running the below step for password setup.

In order to store the account SMTP password, use the keystore command (see secure settings)

bin/elasticsearch-keystore xpack.notification.email.account.outlook_account.smtp.secure_password

Got an error message as "ERROR: Unknown command [xpack.notification.email.account.outlook_account.smtp.secure_password]"

2)Do i need to change anything else in the below apart from the email address which i have added a sample email address for testing .

xpack.notification.email.account:
    outlook_account:
        profile: outlook
        smtp:
            auth: true
            starttls.enable: true
            host: smtp-mail.outlook.com
            port: 587
            user: <email.address>

Is there any video available to perform the email action from the watcher ?I found one but it was quite old and differs a lot as i am currently using the v6.6

Hello,

It seems that the documentation has an error. Could you try with the following command to set the password? (with the "add" verb)

bin/elasticsearch-keystore add xpack.notification.email.account.outlook_account.smtp.secure_password

Hi @sebastien

I have added the gmail account for email notification in the elasticseach.yml file but still i am getting error as "Failed to send to xxxxx@gmail.com"
Please find the below line i have added in the .yml file
xpack.security.enabled: true

xpack.notification.email.account:
    gmail_account:
        profile: gmail
        smtp:
            auth: true
            starttls.enable: true
            host: smtp.gmail.com
            port: 587
            user: elastic
            password: xxxxxxx 

1)Can you please let me know what user name and password should i give here,Either the elasticsearch credentials or the gmail credentials,
2)I even tried the slash alert by adding the below in the elasticsearch.yml file
xpack.notification.slack:
account:
monitoring:
url: https://hooks.slack.com/services/xxxxxx/xxxyyyxx/

I have added the webhook url in the above and added it in the.yml file ,still not getting any alert to the slack ,Just received the same error.

To configure slack ,Do i need to any add thing else in the elasticseach.yml file ?

3)I tested the payload in postman and the output was 200-ok

I am pretty stuck in the alert part of kibana, Any help to set this working would be of great help to me.

Thanks in Advance,

Regards,
Kamaleshwar

Yes, that is the option I referred to. Is it possible that you changed that file at some point manually and you have been installing Elasticsearch via package repositories? This might be the reason why the file did not get replaced tutuapp.

The file is getting saved whenever i add the provided ,If the elasticsearch.yml has any errors it would not allow for a service restart of elasticsearch(I believe it is a OOB functionality)
It would be helpful if you can provide answers to my 1 and 3 and on the credentials part as well.

Thanks again.

It still seems to be not working, Could you please let me know the configuration that needs to be added in the elasticsearch.yml file for the email action and slack action.
I followed all the steps but still it did not work for me.

Thanks in Advance,

Hi ,

After doing all the email action configurations for gmail ,I see the email action menu is still disabled .
Mean while i tried with slack using webhook integrations and tried "send a sample message now" which is also not working for me.
Can any one please help me with the configurations that needs to be done for the email actions.

Thanks in Advance,

Kamaleshwar

I had a similar issue. As it turns out, port 587 was incorrect, I need to use port 25. Make sure you're using the correct smtp address which typically is your company name, e.g. smtp.companyname.com. Sorry, that's all I have.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.