Mail Configuration for Heart Beat


I am using HeartBeat in our server to check the availability of multiple URLs and it is showing properly in Kibana. I want to get an email if an url is not available or not responding. Is there a way to configure email.

(Tudor Golubenco) #2

You could setup an xpack watch to email you when any "down" events are reported by Heartbeat. Unfortunately I don't have an example ready, but can look for one if x-pack is an option for you.

(Tudor Golubenco) #3

Another option is to send the emails from Logstash.

(Andrew Kroh) #4

Here's the watch that I use to send Slack notifications when a host goes down. It may need to be updated for the latest Heartbeat version because I think some of the fields were renamed. To make it send an email you would replace the slack action with an email action.


Thanks for the reply. I am new to elastic stack and am not that much familar to xpack. When i checked the documentation, it is mentioned that xpack can be installed with elastic search and kibana. I am not sure where I have to install this in my case. In our case, we are not using logstash and heartbeat is directly sending output to elastic search. I had give a try by instaling xpack with both elastic search and kibana plugin, but after restarting both the services, kibana is not working and it is redirecting to the url "http://*****:5601/login?next=%2Fapp%2Fkibana" which is showing the error message 'ERR_TOO_MANY_REDIRECTS'.

(Tudor Golubenco) #6

Yes, you should install xpack in both ES and KB. Xpack comes also with security (user/pass authentication), that's what is causing the redirect. I'm not sure why it doesn't work, though, perhaps you could try a different browser, or cleanup the cookies?

Alternatively, while getting started, you can disable the security in xpack by adding the following int he ES config:


Thanks tudor :), Now it is working as I cleared the cookies and restarted the browser. As per the documentation, I can understand that configuration of email account have to be done in yml file. But regarding the email actions , it is mentioned to configure in the action array. So where I have to define this action array, also how I can configure it to trigger on our specfic condition. My condition is to trigger email only if any specific urls are down which is monitored by the heartbeat


I tried using logstash .As I mentioned, I want the email to be triggered when a specific url is down and it is noticed from kibana that there is a specific field named 'up' for heart beat which will be false ,if the ping failed. So I want to configure in my logstash so that when 'up' is false mail should get trigger. Currently mail is getting triggered if the below "if [up] == false" is not present. Please help me to resolve this issue. Below is my conf file for logstash.

input {
beats {
# The port to listen on for filebeat connections.
port => ****
# The IP address to listen for filebeat connections.
host => ""
output {
elasticsearch {
hosts => ["
user => "
password => "*****"
index => "%{[@metadata][beat]}:%{+YYYY.MM.dd}"
if [up] == "false" {
email {
to => "
from => "
domain => "
port => "25"
via => "smtp"
subject => "URL Down Now"

(Steffen Siering) #9

The up field is a boolean. I guess it must say if ![up] { ... }. But logstash does not differentiate between false and field missing. Both will get you false as response. As heartbeat always reports the up field, you can add a check for the beat type like:

if [@metadata][beat] == "heartbeat" && ![up] {

Please note, the event format in heartbeat in most recent 6.0 alpha/beta releases has been changed significantly. See:

With this change the boolean up field is removed, in favour of string values. Your conditional in logstash will becomes:

if [monitor][status] != "up" {
  email {
    subject => "URL '%{[http][url]} status: %{[monitor][status]}"

Right now monitor.status can only be "up" and "down", but in case we ever add more status types, this configuration will report the URL and the actual status.

btw. The logstash outputs do work concurrently. That is, the mail can be send, even if the event is not indexed by Elasticsearch yet. At worst, you might not be able to inspect the monitor output in kibana yet. Therefore, include as many information in the email as you might need to identify the actual service/server being down.


It got worked, but when I put '&&' it shown some error and when I put multiple 'if' it got resolved

(system) #11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.